CVE-2026-4275 - The Divi Torque Lite - Divi Theme, Divi Builder & Extra Theme plugin for WordPress is vulnerable to CSRF
The Divi Torque Lite plugin for WordPress, in versions up to 4.2.3, is vulnerable to Cross-Site Request Forgery (CVE-2026-4275), allowing an unauthenticated attacker to exploit inadequate nonce verification on the /install_plugin and /activate_plugin REST API endpoints to install arbitrary WordPress plugins, potentially leading to remote code execution or further system compromise.
A critical Cross-Site Request Forgery (CSRF) vulnerability, tracked as CVE-2026-4275, has been identified in the Divi Torque Lite - Divi Theme, Divi Builder & Extra Theme plugin for WordPress, affecting all versions up to and including 4.2.3. This flaw stems from the plugin's use of __return_true as the permission_callback for the /install_plugin and /activate_plugin REST API endpoints, effectively bypassing WordPress's native REST API nonce verification. While the endpoints contain internal current_user_can() checks, the lack of nonce protection means that a malicious cross-site request originating from a logged-in administrator's browser will pass authentication through existing session cookies. This vulnerability empowers unauthenticated attackers to remotely install arbitrary plugins from the WordPress repository, paving the way for potential remote code execution, website defacement, or complete site compromise.
Attack Chain
- An attacker crafts a malicious web page containing a CSRF payload targeting the Divi Torque Lite plugin's REST API endpoints for plugin installation.
- The malicious payload includes a forged HTTP
POSTrequest to[WordPress_URL]/wp-json/divi-torque-lite/v1/install_pluginor/activate_plugin, specifying an arbitrary plugin from the WordPress repository. - The attacker employs social engineering tactics to lure a logged-in WordPress administrator into visiting the malicious web page.
- The administrator's browser, holding valid session cookies for the targeted WordPress site, automatically sends the forged
POSTrequest to the vulnerable WordPress instance. - The Divi Torque Lite plugin's REST API endpoint receives the request but bypasses nonce verification due to the misconfigured
__return_truepermission_callback. - The
current_user_can()capability check passes because the request is sent with the administrator's active session context. - The vulnerable plugin processes the request and proceeds to install or activate the attacker-specified malicious plugin from the WordPress repository.
- The attacker then leverages the newly installed or activated plugin, potentially exploiting known vulnerabilities within it or using it to achieve remote code execution, elevate privileges, or gain persistent access to the WordPress site.
Impact
Successful exploitation of CVE-2026-4275 allows unauthenticated attackers to install arbitrary plugins on affected WordPress sites. This can lead to severe consequences, including remote code execution, privilege escalation, data manipulation, website defacement, and full administrative control over the WordPress instance. The vulnerability carries a CVSS v3.1 Base Score of 8.8 (High), indicating its critical potential for widespread damage. Organizations relying on the Divi Torque Lite plugin face a significant risk of compromise, potentially affecting their data integrity, availability, and user trust.
Recommendation
- Patch CVE-2026-4275 immediately by updating the Divi Torque Lite - Divi Theme, Divi Builder & Extra Theme plugin to a version beyond 4.2.3 as soon as a fix is released by the vendor.
- Deploy the Sigma rule "Detect CVE-2026-4275 Exploitation - Divi Torque Lite CSRF" to your SIEM solution and tune for your environment to identify potential exploitation attempts.
- Monitor web server logs for HTTP POST requests to
/wp-json/divi-torque-lite/v1/install_pluginor/wp-json/divi-torque-lite/v1/activate_pluginthat result in a successful status code, especially from unusualRefererheaders or sources.
Detection coverage 1
Detect CVE-2026-4275 Exploitation - Divi Torque Lite CSRF
highDetects CVE-2026-4275 exploitation - HTTP POST requests to the vulnerable /install_plugin or /activate_plugin REST API endpoints of the Divi Torque Lite plugin, indicating attempted or successful Cross-Site Request Forgery (CSRF) for arbitrary plugin installation.
Detection queries are available on the platform. Get full rules →