CVE-2026-4275

badhonrocks · Divi Torque Lite – Divi Modules for the Divi Builder & Theme

The Divi Torque Lite plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF), potentially allowing unauthorized state-changing actions via a victim's session.

Executive summary

The Divi Torque Lite plugin for WordPress is vulnerable to a Cross-Site Request Forgery (CSRF) flaw that could allow an attacker to perform unauthorized actions on behalf of an authenticated user.

Vulnerability

This vulnerability is a Cross-Site Request Forgery (CWE-352) flaw. It occurs because the plugin fails to perform adequate validation or nonce checks, allowing an unauthenticated attacker to trick a logged-in user into executing unintended actions.

Business impact

Successful exploitation of this CSRF vulnerability could lead to unauthorized administrative actions, such as changing plugin configurations or modifying site settings, depending on the privileges of the victim. With a CVSS score of 8.8, this represents a high-severity risk that could compromise the integrity and availability of the WordPress environment.

Remediation

Immediate Action: Update the Divi Torque Lite plugin to the latest available version provided by the vendor to ensure proper nonce validation is implemented.

Proactive Monitoring: Review administrative access logs for unusual activity or unauthorized configuration changes performed during active user sessions.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block suspicious cross-site requests and validate HTTP referrers.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The high CVSS score underscores the significant impact this vulnerability poses to site integrity. Administrators should prioritize the update of the Divi Torque Lite plugin immediately to mitigate the risk of unauthorized state changes.