<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Divi Torque Lite Plugin for WordPress (&lt; 4.2.3) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/divi-torque-lite-plugin-for-wordpress--4.2.3/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 11:20:15 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/divi-torque-lite-plugin-for-wordpress--4.2.3/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-4275 - The Divi Torque Lite - Divi Theme, Divi Builder &amp; Extra Theme plugin for WordPress is vulnerable to CSRF</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-4275-divi-torque-lite-csrf/</link><pubDate>Thu, 09 Jul 2026 11:20:15 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-4275-divi-torque-lite-csrf/</guid><description>The Divi Torque Lite plugin for WordPress, in versions up to 4.2.3, is vulnerable to Cross-Site Request Forgery (CVE-2026-4275), allowing an unauthenticated attacker to exploit inadequate nonce verification on the /install_plugin and /activate_plugin REST API endpoints to install arbitrary WordPress plugins, potentially leading to remote code execution or further system compromise.</description><content:encoded><![CDATA[<p>A critical Cross-Site Request Forgery (CSRF) vulnerability, tracked as CVE-2026-4275, has been identified in the Divi Torque Lite - Divi Theme, Divi Builder &amp; Extra Theme plugin for WordPress, affecting all versions up to and including 4.2.3. This flaw stems from the plugin's use of <code>__return_true</code> as the <code>permission_callback</code> for the <code>/install_plugin</code> and <code>/activate_plugin</code> REST API endpoints, effectively bypassing WordPress's native REST API nonce verification. While the endpoints contain internal <code>current_user_can()</code> checks, the lack of nonce protection means that a malicious cross-site request originating from a logged-in administrator's browser will pass authentication through existing session cookies. This vulnerability empowers unauthenticated attackers to remotely install arbitrary plugins from the WordPress repository, paving the way for potential remote code execution, website defacement, or complete site compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious web page containing a CSRF payload targeting the Divi Torque Lite plugin's REST API endpoints for plugin installation.</li>
<li>The malicious payload includes a forged HTTP <code>POST</code> request to <code>[WordPress_URL]/wp-json/divi-torque-lite/v1/install_plugin</code> or <code>/activate_plugin</code>, specifying an arbitrary plugin from the WordPress repository.</li>
<li>The attacker employs social engineering tactics to lure a logged-in WordPress administrator into visiting the malicious web page.</li>
<li>The administrator's browser, holding valid session cookies for the targeted WordPress site, automatically sends the forged <code>POST</code> request to the vulnerable WordPress instance.</li>
<li>The Divi Torque Lite plugin's REST API endpoint receives the request but bypasses nonce verification due to the misconfigured <code>__return_true</code> <code>permission_callback</code>.</li>
<li>The <code>current_user_can()</code> capability check passes because the request is sent with the administrator's active session context.</li>
<li>The vulnerable plugin processes the request and proceeds to install or activate the attacker-specified malicious plugin from the WordPress repository.</li>
<li>The attacker then leverages the newly installed or activated plugin, potentially exploiting known vulnerabilities within it or using it to achieve remote code execution, elevate privileges, or gain persistent access to the WordPress site.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-4275 allows unauthenticated attackers to install arbitrary plugins on affected WordPress sites. This can lead to severe consequences, including remote code execution, privilege escalation, data manipulation, website defacement, and full administrative control over the WordPress instance. The vulnerability carries a CVSS v3.1 Base Score of 8.8 (High), indicating its critical potential for widespread damage. Organizations relying on the Divi Torque Lite plugin face a significant risk of compromise, potentially affecting their data integrity, availability, and user trust.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-4275 immediately by updating the Divi Torque Lite - Divi Theme, Divi Builder &amp; Extra Theme plugin to a version beyond 4.2.3 as soon as a fix is released by the vendor.</li>
<li>Deploy the Sigma rule &quot;Detect CVE-2026-4275 Exploitation - Divi Torque Lite CSRF&quot; to your SIEM solution and tune for your environment to identify potential exploitation attempts.</li>
<li>Monitor web server logs for HTTP POST requests to <code>/wp-json/divi-torque-lite/v1/install_plugin</code> or <code>/wp-json/divi-torque-lite/v1/activate_plugin</code> that result in a successful status code, especially from unusual <code>Referer</code> headers or sources.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>web</category><category>vulnerability</category><category>wordpress</category><category>csrf</category><category>cve</category></item></channel></rss>