cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches foraddons-for-divi addons-for-divi

Direction: ascending
Jun 07, 2024

Divi Torque Lite – Divi Theme and Extra Theme # e4f7485878715f741d7f9ed1e434d90951964a8e

Date
Feb 28, 2022
Research Description
Divi Torque Lite &#8211; Divi Modules for the Divi Builder &amp; Theme [addons-for-divi] < 3.5.0 WordPress DiviTorque – Divi Theme, Divi Builder and Extra Theme plugin <= 3.4.3 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability discovered in WordPress DiviTorque – Divi Theme, Divi Builder and Extra Theme plugin (versions <= 3.4.3).
Affected versions
max 3.5.0.
Status
vulnerable
Jun 13, 2024

Divi Torque Lite &#8211; Divi Theme and Extra Theme # CVE-2024-5892

CVE, Research URL

CVE-2024-5892

Date
Jun 12, 2024
Research Description
The Divi Torque Lite – Divi Theme and Extra Theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘support_unfiltered_files_upload’ function in all versions up to, and including, 3.6.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 4.0.0.
Status
vulnerable
Nov 15, 2024

Divi Torque Lite &#8211; Divi Theme and Extra Theme # CVE-2022-4974

CVE, Research URL

CVE-2022-4974

Date
Oct 16, 2024
Research Description
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions
max 3.5.0.
Status
vulnerable
Jan 31, 2025

Divi Torque Lite &#8211; Divi Theme and Extra Theme # CVE-2025-0353

CVE, Research URL

CVE-2025-0353

Date
Jan 29, 2025
Research Description
The Divi Torque Lite – Best Divi Addon, Extensions, Modules & Social Modules plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 4.1.1.
Status
vulnerable
Apr 13, 2026

Divi Torque Lite &#8211; Divi Theme and Extra Theme # CVE-2024-5647

CVE, Research URL

CVE-2024-5647

Date
Jul 03, 2025
Research Description
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library (version 1.1.0) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was fixed in the upstream library (Magnific Popups version 1.2.0) by disabling the loading of HTML within certain fields by default.
Affected versions
max 4.0.6.
Status
vulnerable
Jun 14, 2026

Divi Torque Lite &#8211; Divi Theme and Extra Theme # CVE-2023-33999

CVE, Research URL

CVE-2023-33999

Date
Jun 11, 2026
Research Description
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.
Affected versions
max 3.6.0.
Status
vulnerable
Jun 16, 2026

Divi Torque Lite &#8211; Divi Theme and Extra Theme # 6d8910c719b2a132ec93828cd37e418b19cac960

Date
Mar 04, 2022
Research Description
Divi Torque Lite &#8211; Divi Modules for the Divi Builder &amp; Theme [addons-for-divi] < 3.5.0 Freemius SDK <= 2.4.2 - Missing Authorization Checks The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions
max 3.5.0.
Status
vulnerable

Divi Torque Lite &#8211; Divi Theme and Extra Theme # 8bcae76d5d389948045842212dd827e67d8d8e3c

Date
Feb 28, 2022
Research Description
Divi Torque Lite &#8211; Divi Modules for the Divi Builder &amp; Theme [addons-for-divi] < 3.5.0 WordPress DiviTorque – Divi Theme, Divi Builder and Extra Theme plugin <= 3.4.3 - Sensitive Information Disclosure vulnerability Sensitive Information Disclosure vulnerability discovered in WordPress DiviTorque – Divi Theme, Divi Builder and Extra Theme plugin (versions <= 3.4.3).
Affected versions
max 3.5.0.
Status
vulnerable
Jul 09, 2026

Divi Torque Lite &#8211; Divi Theme and Extra Theme # CVE-2026-4275

CVE, Research URL

CVE-2026-4275

Date
Jul 09, 2026
Research Description
The Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.3. This is due to the use of '__return_true' as the permission_callback for the /install_plugin and /activate_plugin REST API endpoints, which bypasses WordPress's built-in REST API nonce verification. Although the endpoint callbacks contain internal current_user_can() checks, the absence of nonce verification means that a forged cross-site request from a logged-in administrator's browser will pass the capability check via the admin's session cookies. This makes it possible for unauthenticated attackers to install arbitrary plugins from WordPress.
Affected versions
max 4.3.0.
Status
vulnerable