Skip to content
Threat Feed
high advisory

CVE-2026-4275 - The Divi Torque Lite - Divi Theme, Divi Builder & Extra Theme plugin for WordPress is vulnerable to CSRF

The Divi Torque Lite plugin for WordPress, in versions up to 4.2.3, is vulnerable to Cross-Site Request Forgery (CVE-2026-4275), allowing an unauthenticated attacker to exploit inadequate nonce verification on the /install_plugin and /activate_plugin REST API endpoints to install arbitrary WordPress plugins, potentially leading to remote code execution or further system compromise.

A critical Cross-Site Request Forgery (CSRF) vulnerability, tracked as CVE-2026-4275, has been identified in the Divi Torque Lite - Divi Theme, Divi Builder & Extra Theme plugin for WordPress, affecting all versions up to and including 4.2.3. This flaw stems from the plugin's use of __return_true as the permission_callback for the /install_plugin and /activate_plugin REST API endpoints, effectively bypassing WordPress's native REST API nonce verification. While the endpoints contain internal current_user_can() checks, the lack of nonce protection means that a malicious cross-site request originating from a logged-in administrator's browser will pass authentication through existing session cookies. This vulnerability empowers unauthenticated attackers to remotely install arbitrary plugins from the WordPress repository, paving the way for potential remote code execution, website defacement, or complete site compromise.

Attack Chain

  1. An attacker crafts a malicious web page containing a CSRF payload targeting the Divi Torque Lite plugin's REST API endpoints for plugin installation.
  2. The malicious payload includes a forged HTTP POST request to [WordPress_URL]/wp-json/divi-torque-lite/v1/install_plugin or /activate_plugin, specifying an arbitrary plugin from the WordPress repository.
  3. The attacker employs social engineering tactics to lure a logged-in WordPress administrator into visiting the malicious web page.
  4. The administrator's browser, holding valid session cookies for the targeted WordPress site, automatically sends the forged POST request to the vulnerable WordPress instance.
  5. The Divi Torque Lite plugin's REST API endpoint receives the request but bypasses nonce verification due to the misconfigured __return_true permission_callback.
  6. The current_user_can() capability check passes because the request is sent with the administrator's active session context.
  7. The vulnerable plugin processes the request and proceeds to install or activate the attacker-specified malicious plugin from the WordPress repository.
  8. The attacker then leverages the newly installed or activated plugin, potentially exploiting known vulnerabilities within it or using it to achieve remote code execution, elevate privileges, or gain persistent access to the WordPress site.

Impact

Successful exploitation of CVE-2026-4275 allows unauthenticated attackers to install arbitrary plugins on affected WordPress sites. This can lead to severe consequences, including remote code execution, privilege escalation, data manipulation, website defacement, and full administrative control over the WordPress instance. The vulnerability carries a CVSS v3.1 Base Score of 8.8 (High), indicating its critical potential for widespread damage. Organizations relying on the Divi Torque Lite plugin face a significant risk of compromise, potentially affecting their data integrity, availability, and user trust.

Recommendation

  • Patch CVE-2026-4275 immediately by updating the Divi Torque Lite - Divi Theme, Divi Builder & Extra Theme plugin to a version beyond 4.2.3 as soon as a fix is released by the vendor.
  • Deploy the Sigma rule "Detect CVE-2026-4275 Exploitation - Divi Torque Lite CSRF" to your SIEM solution and tune for your environment to identify potential exploitation attempts.
  • Monitor web server logs for HTTP POST requests to /wp-json/divi-torque-lite/v1/install_plugin or /wp-json/divi-torque-lite/v1/activate_plugin that result in a successful status code, especially from unusual Referer headers or sources.

Detection coverage 1

Detect CVE-2026-4275 Exploitation - Divi Torque Lite CSRF

high

Detects CVE-2026-4275 exploitation - HTTP POST requests to the vulnerable /install_plugin or /activate_plugin REST API endpoints of the Divi Torque Lite plugin, indicating attempted or successful Cross-Site Request Forgery (CSRF) for arbitrary plugin installation.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detection queries are available on the platform. Get full rules →