Divi Torque Lite REST API CSRF Plugin Installation Vulnerability
The Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.3. This is due to the use of '__return_true' as the permission_callback for the /install_plugin and /activate_plugin REST API endpoints, which bypasses WordPress's built-in REST API nonce verification. Although the endpoint callbacks contain internal current_user_can() checks, the absence of nonce verification means that a forged cross-site request from a logged-in administrator's browser will pass the capability check via the admin's session cookies. This makes it possible for unauthenticated attackers to install arbitrary plugins from WordPress.
Quick answer
Divi Torque Lite should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Divi Torque Lite up to and including 4.2.3
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
Divi Torque Lite up to and including 4.2.3 is affected by CVE-2026-4275. Because the REST endpoint does not enforce proper nonce verification, a logged-in administrator can be tricked into installing or activating plugins through a forged request.
- Inventory all WordPress sites using Divi Torque Lite.
- Update Divi Torque Lite beyond 4.2.3 when a patched release is available.
- Disable the plugin if administrators actively manage the site and no fixed release is available.
- Restrict the vulnerable REST endpoints with a WAF or server rule until patched.
- Review installed plugins for unexpected additions or activations after the exposure window.
- Ask administrators to sign out of WordPress after use and avoid opening untrusted links while authenticated.
- Clear caches and regenerate security nonces by forcing fresh admin sessions after patching.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm Divi Torque Lite is no longer version 4.2.3 or older.
- Attempt a safe forged REST request in staging and confirm it fails without a valid WordPress REST nonce.
- Confirm administrator plugin installation still works through the normal dashboard flow.
- Audit active plugins and file modification times for unauthorized changes.
- Run a Fixnx scan and review the WordPress site for exposed admin or plugin surfaces.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-4275?
Divi Torque Lite versions listed as affected should be reviewed: Divi Torque Lite up to and including 4.2.3.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
