Cross-Site Request Forgery Vulnerability in Divi Theme and Builder for WordPress
CVE-2026-4275
8.8HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 July 2026
What is CVE-2026-4275?
The Divi Torque Lite β Divi Theme, Divi Builder, and Extra Theme plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) due to improper nonce verification in the /install_plugin and /activate_plugin REST API endpoints. The vulnerability arises because '__return_true' is used as the permission_callback, allowing unauthenticated attackers to exploit the absence of nonce checks. As a result, a malicious actor could forge requests from a logged-in administrator's browser and gain unauthorized access to install arbitrary plugins, thereby compromising the integrity of the WordPress site.
Affected Version(s)
Divi Torque Lite β Divi Modules for the Divi Builder & Theme 0 <= 4.2.3