Description
The Divi Torque Lite – Best Divi Addon, Extensions, Modules & Social Modules plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-01-29
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting
Action: Patch Now
AI Analysis

Impact

The Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin for WordPress contains insufficient input sanitization and output escaping on a number of widget attributes, allowing a contributor or higher level user to persist malicious scripts in stored content. When a page that includes the compromised widget is viewed, the embedded script executes in the victim’s browser, potentially exposing session data, hijacking accounts, or delivering additional payloads. This is a classic example of a stored cross‑site scripting flaw (CWE‑79).

Affected Systems

All versions of the Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin up to and including 4.1.0 are affected. Any WordPress site that has installed these versions and permits contributors to create or edit widget instances can be compromised.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability requires authenticated access at the contributor level or higher, meaning that an internal attacker or a compromised contributor account could inject malicious scripts into widget content. Although the flaw is not yet listed in CISA KEV, the potential for cross‑site scripting makes it a significant threat to site visitors and the integrity of user sessions.

Generated by OpenCVE AI on April 21, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin to a version newer than 4.1.0 that includes the required input sanitization and output escaping fixes.
  • If an upgrade is not immediately feasible, remove or disable the affected widgets from public pages, and restrict contributor accounts from adding custom HTML or script content to widget attributes.
  • Implement a Content Security Policy that blocks inline script execution and disallows loading of third‑party scripts from unknown sources to reduce the impact of any remaining stored scripts.

Generated by OpenCVE AI on April 21, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1622 The Divi Torque Lite – Best Divi Addon, Extensions, Modules & Social Modules plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Link Providers
https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/FlipBox/FlipBox.php#L1053 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/GradientHeading/GradientHeading.php#L344 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/ImageCarouselChild/ImageCarouselChild.php#L507 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/InfoBox/InfoBox.php#L852 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/InfoCard/InfoCard.php#L688 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/InlineNotice/InlineNotice.php#L486 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/LogoCarouselChild/LogoCarouselChild.php#L177 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/LogoGridChild/LogoGridChild.php#L193 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/Review/Review.php#L703 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/ScrollImage/ScrollImage.php#L388 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/Testimonial/Testimonial.php#L1147 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/addons-for-divi/trunk/includes/modules/divi-4/VideoModal/VideoModal.php#L593 cve-icon cve-icon
https://plugins.trac.wordpress.org/changeset/3230743/ cve-icon cve-icon
https://wordpress.org/plugins/addons-for-divi/#developers cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/d5810757-1866-4788-809f-2c68e16a5156?source=cve cve-icon cve-icon
History

Thu, 09 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Jan 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Divi Torque Lite – Best Divi Addon, Extensions, Modules & Social Modules plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Divi Torque Lite <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:09.410Z

Reserved: 2025-01-08T23:37:58.329Z

Link: CVE-2025-0353

cve-icon Vulnrichment

Updated: 2025-02-12T19:45:56.310Z

cve-icon NVD

Status : Deferred

Published: 2025-01-29T12:15:29.477

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-0353

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:30:06Z

Weaknesses