CVE-2026-4275
badhonrocks · Divi Torque Lite – Divi Modules for the Divi Builder & Theme
The Divi Torque Lite plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF), potentially allowing unauthorized state-changing actions via a victim's session.
Executive summary
The Divi Torque Lite plugin for WordPress is vulnerable to a Cross-Site Request Forgery (CSRF) flaw that could allow an attacker to perform unauthorized actions on behalf of an authenticated user.
Vulnerability
This vulnerability is a Cross-Site Request Forgery (CWE-352) flaw. It occurs because the plugin fails to perform adequate validation or nonce checks, allowing an unauthenticated attacker to trick a logged-in user into executing unintended actions.
Business impact
Successful exploitation of this CSRF vulnerability could lead to unauthorized administrative actions, such as changing plugin configurations or modifying site settings, depending on the privileges of the victim. With a CVSS score of 8.8, this represents a high-severity risk that could compromise the integrity and availability of the WordPress environment.
Remediation
Immediate Action: Update the Divi Torque Lite plugin to the latest available version provided by the vendor to ensure proper nonce validation is implemented.
Proactive Monitoring: Review administrative access logs for unusual activity or unauthorized configuration changes performed during active user sessions.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block suspicious cross-site requests and validate HTTP referrers.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The high CVSS score underscores the significant impact this vulnerability poses to site integrity. Administrators should prioritize the update of the Divi Torque Lite plugin immediately to mitigate the risk of unauthorized state changes.