Vulnerabilities and security researches foraddons-for-divi addons-for-divi
Direction: ascendingJun 07, 2024
Divi Torque Lite – Divi Theme and Extra Theme # e4f7485878715f741d7f9ed1e434d90951964a8e
- CVE, Research URL
- Date
- Feb 28, 2022
- Research Description
- Divi Torque Lite – Divi Modules for the Divi Builder & Theme [addons-for-divi] < 3.5.0 WordPress DiviTorque – Divi Theme, Divi Builder and Extra Theme plugin <= 3.4.3 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability discovered in WordPress DiviTorque – Divi Theme, Divi Builder and Extra Theme plugin (versions <= 3.4.3).
- Affected versions
-
max 3.5.0.
- Status
-
vulnerable
Jun 13, 2024
Divi Torque Lite – Divi Theme and Extra Theme # CVE-2024-5892
- CVE, Research URL
- Date
- Jun 12, 2024
- Research Description
- The Divi Torque Lite – Divi Theme and Extra Theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘support_unfiltered_files_upload’ function in all versions up to, and including, 3.6.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 4.0.0.
- Status
-
vulnerable
Nov 15, 2024
Divi Torque Lite – Divi Theme and Extra Theme # CVE-2022-4974
- CVE, Research URL
- Date
- Oct 16, 2024
- Research Description
- The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
- Affected versions
-
max 3.5.0.
- Status
-
vulnerable
Jan 31, 2025
Divi Torque Lite – Divi Theme and Extra Theme # CVE-2025-0353
- CVE, Research URL
- Date
- Jan 29, 2025
- Research Description
- The Divi Torque Lite – Best Divi Addon, Extensions, Modules & Social Modules plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 4.1.1.
- Status
-
vulnerable
Apr 13, 2026
Divi Torque Lite – Divi Theme and Extra Theme # CVE-2024-5647
- CVE, Research URL
- Date
- Jul 03, 2025
- Research Description
- Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library (version 1.1.0) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was fixed in the upstream library (Magnific Popups version 1.2.0) by disabling the loading of HTML within certain fields by default.
- Affected versions
-
max 4.0.6.
- Status
-
vulnerable
Jun 14, 2026
Divi Torque Lite – Divi Theme and Extra Theme # CVE-2023-33999
- CVE, Research URL
- Date
- Jun 11, 2026
- Research Description
- Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.
- Affected versions
-
max 3.6.0.
- Status
-
vulnerable
Jun 16, 2026
Divi Torque Lite – Divi Theme and Extra Theme # 6d8910c719b2a132ec93828cd37e418b19cac960
- CVE, Research URL
- Date
- Mar 04, 2022
- Research Description
- Divi Torque Lite – Divi Modules for the Divi Builder & Theme [addons-for-divi] < 3.5.0 Freemius SDK <= 2.4.2 - Missing Authorization Checks The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
- Affected versions
-
max 3.5.0.
- Status
-
vulnerable
Divi Torque Lite – Divi Theme and Extra Theme # 8bcae76d5d389948045842212dd827e67d8d8e3c
- CVE, Research URL
- Date
- Feb 28, 2022
- Research Description
- Divi Torque Lite – Divi Modules for the Divi Builder & Theme [addons-for-divi] < 3.5.0 WordPress DiviTorque – Divi Theme, Divi Builder and Extra Theme plugin <= 3.4.3 - Sensitive Information Disclosure vulnerability Sensitive Information Disclosure vulnerability discovered in WordPress DiviTorque – Divi Theme, Divi Builder and Extra Theme plugin (versions <= 3.4.3).
- Affected versions
-
max 3.5.0.
- Status
-
vulnerable
Jul 09, 2026
Divi Torque Lite – Divi Theme and Extra Theme # CVE-2026-4275
- CVE, Research URL
- Date
- Jul 09, 2026
- Research Description
- The Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.3. This is due to the use of '__return_true' as the permission_callback for the /install_plugin and /activate_plugin REST API endpoints, which bypasses WordPress's built-in REST API nonce verification. Although the endpoint callbacks contain internal current_user_can() checks, the absence of nonce verification means that a forged cross-site request from a logged-in administrator's browser will pass the capability check via the admin's session cookies. This makes it possible for unauthenticated attackers to install arbitrary plugins from WordPress.
- Affected versions
-
max 4.3.0.
- Status
-
vulnerable