Security Risk Category

divi Security Risks

Published vulnerability pages connected to divi. One risk can appear in multiple categories while keeping one canonical page.

divi risks

Showing 2 of 2 published risks.

highEPSS 0.003

Divi Form Builder WordPress Plugin Account Takeover Vulnerability

The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the update_user() function accepting a user ID parameter from form submissions without verifying that the authenticated user has permission to edit that specific user account, and the handle_register_submission() function only checking if any user is logged in rather than validating permissions for the target user. This makes it possible for authenticated attackers, with subscriber-level access and above, to change the email address and password of any user account, including administrators, resulting in complete account takeover.

CVE-2026-5523wordpressdividivi-form-builderaccount-takeover

Updated Jul 10, 2026

high

Divi Torque Lite REST API CSRF Plugin Installation Vulnerability

The Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.3. This is due to the use of '__return_true' as the permission_callback for the /install_plugin and /activate_plugin REST API endpoints, which bypasses WordPress's built-in REST API nonce verification. Although the endpoint callbacks contain internal current_user_can() checks, the absence of nonce verification means that a forged cross-site request from a logged-in administrator's browser will pass the capability check via the admin's session cookies. This makes it possible for unauthenticated attackers to install arbitrary plugins from WordPress.

CVE-2026-4275wordpressdividivi-torque-litecsrf

Updated Jul 10, 2026