Skip to main content

Divi Torque Lite Divi Modules For The Divi Builder Theme

1 CVEs product

Monthly

CVE-2026-4275 HIGH This Week

Cross-Site Request Forgery in the Divi Torque Lite WordPress plugin (versions ≤ 4.2.3) lets remote attackers install and activate arbitrary plugins by tricking a logged-in administrator into loading a malicious page. The plugin registers its /install_plugin and /activate_plugin REST routes with '__return_true' as the permission_callback, which suppresses WordPress's REST nonce check so a forged request rides the admin's session cookies past the internal capability check. No public exploit is identified at time of analysis, but installing an attacker-supplied plugin yields effective remote code execution on the site.

WordPress CSRF Divi Torque Lite Divi Modules For The Divi Builder Theme
NVD
CVSS 3.1
8.8
EPSS
0.2%
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery in the Divi Torque Lite WordPress plugin (versions ≤ 4.2.3) lets remote attackers install and activate arbitrary plugins by tricking a logged-in administrator into loading a malicious page. The plugin registers its /install_plugin and /activate_plugin REST routes with '__return_true' as the permission_callback, which suppresses WordPress's REST nonce check so a forged request rides the admin's session cookies past the internal capability check. No public exploit is identified at time of analysis, but installing an attacker-supplied plugin yields effective remote code execution on the site.

WordPress CSRF Divi Torque Lite Divi Modules For The Divi Builder Theme
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy