Skip to main content
CVE Vulnerability Database

CVE-2026-4275: Divi Torque Lite Plugin CSRF Vulnerability

CVE-2026-4275 is a Cross-Site Request Forgery flaw in Divi Torque Lite plugin for WordPress that allows attackers to install arbitrary plugins. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-4275 Overview

CVE-2026-4275 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] in the Divi Torque Lite plugin for WordPress. The flaw affects all versions up to and including 4.2.3. The plugin registers the /install_plugin and /activate_plugin REST API endpoints with __return_true as the permission_callback, bypassing WordPress's built-in nonce verification. Attackers can trick an authenticated administrator into visiting a malicious page, causing the browser to install and activate arbitrary plugins from the WordPress repository using the administrator's session.

Critical Impact

Unauthenticated attackers can install and activate arbitrary WordPress plugins by coercing a logged-in administrator to visit a crafted page, leading to full site compromise.

Affected Products

  • Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin for WordPress
  • All versions up to and including 4.2.3
  • WordPress sites with the addons-for-divi plugin installed and active

Discovery Timeline

  • 2026-07-09 - CVE CVE-2026-4275 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-4275

Vulnerability Analysis

The vulnerability resides in the plugin's REST API implementation located in includes/rest-api.php. The plugin registers two sensitive endpoints, /install_plugin and /activate_plugin, which perform plugin installation and activation operations. Both endpoints declare permission_callback as __return_true, which unconditionally allows the request to pass the REST API authorization gate.

This design decision defeats WordPress's automatic REST API nonce verification. The X-WP-Nonce header, which normally binds a request to a legitimate user session, is never validated. Although the endpoint callbacks internally invoke current_user_can() capability checks, these checks only verify the effective user's role rather than proving the request originated from an intentional administrator action.

Root Cause

The root cause is the misuse of __return_true as the permission_callback. WordPress core relies on the permission_callback phase to enforce nonce checks for authenticated REST requests. Returning true unconditionally suppresses that enforcement. When a browser session already holds a valid administrator cookie, a forged cross-origin request satisfies current_user_can() because the capability check does not distinguish forged requests from legitimate ones.

Attack Vector

An attacker hosts a malicious page containing a hidden form or JavaScript that issues a POST request to the vulnerable REST route on the target WordPress site. When a logged-in administrator visits the page, the browser attaches the WordPress session cookies to the request. The server accepts the request, installs the specified plugin from the WordPress.org repository, and optionally activates it. Because plugins can execute arbitrary PHP once active, this pathway leads to complete site takeover. Exploitation requires user interaction from a privileged user but no attacker authentication.

Refer to the WordPress Plugin Code Review at line 230 and the Wordfence Vulnerability Report for the underlying source-level analysis.

Detection Methods for CVE-2026-4275

Indicators of Compromise

  • Unexpected plugins appearing under wp-content/plugins/ or in the WordPress admin plugin list.
  • POST requests to /wp-json/*install_plugin or /wp-json/*activate_plugin originating with Referer headers from external or unknown domains.
  • Entries in web server access logs showing successful REST API calls to the Divi Torque install or activate endpoints without a preceding admin-initiated workflow.
  • New administrator sessions correlating in time with plugin installation events triggered outside the WordPress admin UI.

Detection Strategies

  • Monitor HTTP access logs for requests to REST routes exposed by the addons-for-divi plugin, particularly install and activate endpoints.
  • Compare the installed plugin inventory against a known-good baseline and alert on additions.
  • Inspect the Origin and Referer headers on privileged REST requests and flag mismatches against the site's canonical hostname.
  • Deploy a web application firewall rule to block POST requests to the vulnerable endpoints when the X-WP-Nonce header is missing or invalid.

Monitoring Recommendations

  • Enable WordPress audit logging to capture plugin install and activation events with user, IP, and timestamp attribution.
  • Forward WordPress and web server logs to a centralized SIEM or data lake for correlation and long-term retention.
  • Alert on any change to the plugins directory made outside scheduled maintenance windows.
  • Track outbound requests from the WordPress host to the WordPress.org plugin API for unexpected download activity.

How to Mitigate CVE-2026-4275

Immediate Actions Required

  • Update the Divi Torque Lite plugin to a version newer than 4.2.3 as soon as the vendor publishes a patched release.
  • Audit the plugin list on all affected WordPress sites and remove any unrecognized plugins.
  • Rotate administrator credentials and invalidate active sessions after remediation.
  • Restrict administrator browsing sessions so privileged users do not visit untrusted sites while logged into WordPress.

Patch Information

The vendor addressed the issue in the plugin trunk. Details of the source changes are available in the WordPress Plugin Changeset. Administrators should upgrade to the fixed release referenced in the Wordfence Vulnerability Report.

Workarounds

  • Deactivate and remove the Divi Torque Lite plugin until a fixed version is installed.
  • Configure a web application firewall to block requests to the vulnerable REST routes or require a valid X-WP-Nonce header.
  • Enforce least privilege by limiting the number of accounts with the install_plugins and activate_plugins capabilities.
  • Require administrators to use a dedicated browser or profile for WordPress management to reduce CSRF exposure.
bash
# Configuration example: temporary WAF rule (ModSecurity syntax)
SecRule REQUEST_URI "@rx /wp-json/.*(install_plugin|activate_plugin)" \
    "id:1004275,phase:1,deny,status:403,\
    msg:'Block Divi Torque Lite CSRF endpoints (CVE-2026-4275)',\
    chain"
    SecRule &REQUEST_HEADERS:X-WP-Nonce "@eq 0"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.