Skip to main content

Divi Torque Lite CVE-2026-4275

| EUVDEUVD-2026-42563 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-09 Wordfence GHSA-ggxj-99vw-g2xw
8.8
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network CSRF needs no attacker privileges (PR:N) but a forged request from an authenticated admin (UI:R); arbitrary plugin install yields full C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 11:29 vuln.today
CVE Published
Jul 09, 2026 - 09:31 nvd
HIGH 8.8

DescriptionCVE.org

The Divi Torque Lite - Divi Theme, Divi Builder & Extra Theme plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.3. This is due to the use of '__return_true' as the permission_callback for the /install_plugin and /activate_plugin REST API endpoints, which bypasses WordPress's built-in REST API nonce verification. Although the endpoint callbacks contain internal current_user_can() checks, the absence of nonce verification means that a forged cross-site request from a logged-in administrator's browser will pass the capability check via the admin's session cookies. This makes it possible for unauthenticated attackers to install arbitrary plugins from WordPress.

AnalysisAI

Cross-Site Request Forgery in the Divi Torque Lite WordPress plugin (versions ≤ 4.2.3) lets remote attackers install and activate arbitrary plugins by tricking a logged-in administrator into loading a malicious page. The plugin registers its /install_plugin and /activate_plugin REST routes with '__return_true' as the permission_callback, which suppresses WordPress's REST nonce check so a forged request rides the admin's session cookies past the internal capability check. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host malicious page targeting REST route
Delivery
Lure logged-in admin to visit
Exploit
Browser sends forged /install_plugin request
Execution
Nonce check bypassed via __return_true
Persist
Malicious plugin installed and activated
Impact
Code execution on WordPress server

Vulnerability AssessmentAI

Exploitation Exploitation requires a WordPress site running Divi Torque Lite ≤ 4.2.3 with the vulnerable /install_plugin and /activate_plugin REST routes registered (default when the plugin is active). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, score 8.8) reflects genuinely high impact - a network-reachable, low-complexity attack requiring no attacker privileges, gated only by user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a web page containing a hidden auto-submitting form or fetch call targeting the site's /install_plugin REST endpoint with a chosen (attacker-hosted or backdoored) plugin, then lures a logged-in WordPress administrator to visit it (e.g., via a phishing email or malicious ad). Because the endpoint accepts the request without nonce verification, the administrator's browser silently installs and activates the plugin using their session cookies, giving the attacker code execution on the server. …
Remediation Update the Divi Torque Lite plugin to a version newer than 4.2.3 as soon as the vendor publishes a fixed release; the input identifies the flaw through 4.2.3 but does not confirm an exact patched version, so verify the current release against the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/8be98cba-b891-42cf-8a6c-8fe05f27c9c3?source=cve) and the WordPress plugin changelog. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress installations running Divi Torque Lite versions ≤ 4.2.3 and immediately deactivate the plugin. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-4275 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy