What is CVE-2025-0353?

The Divi Torque Lite plugin for WordPress is affected by a stored cross-site scripting vulnerability that impacts all versions up to 4.1.0. Authenticated attackers can exploit this flaw to execute arbitrary scripts. Immediate patching is recommended to mitigate risks.

What is the severity of CVE-2025-0353?

CVE-2025-0353 has a severity rating of MEDIUM with a CVSS base score of 6.4.

CVE-2025-0353 | Medium Vulnerability in WordPress Divi Torque Lite Plugin

The Divi Torque Lite – Best Divi Addon, Extensions, Modules & Social Modules plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

This vulnerability is classified with a CVSS score of 6.4, indicating a medium severity level. The attack vector is network-based, and it requires low complexity with low privileges needed for exploitation. The urgency for defenders is high, as the potential for exploitation exists, and organizations should prioritize patching immediately.

Risk to organizations includes unauthorized script execution, which may lead to data theft, defacement, or session hijacking. Immediate remediation is essential to mitigate potential impacts.

According to threat intelligence, there is currently no known public exploit available, and the vulnerability is not listed in the Known Exploited Vulnerabilities (KEV) database. However, organizations should remain vigilant.

Vulnerability Details

The CVE-2025-0353 vulnerability in the Divi Torque Lite plugin allows for stored cross-site scripting, which is classified under CWE-79. The last modification to this CVE was on April 15, 2026, with the original publication date being January 29, 2025.

Technical Analysis

The root cause of this vulnerability is insufficient input sanitization and output escaping when handling user-supplied attributes in several widgets. The attack vector is through the network, allowing attackers to exploit the vulnerability remotely. The attack complexity is low, with authenticated users being able to exploit the vulnerability without any user interaction required.

The impact on confidentiality and integrity is classified as low, as attackers may access and manipulate content but cannot affect availability. The vulnerability's scope is changed, which indicates that the impact may extend beyond the vulnerable instance.

Risk & Impact Analysis

In real-world deployments, the risk is significant, especially for organizations using the Divi Torque Lite plugin on critical websites. The potential for attackers to execute arbitrary scripts could lead to severe reputational damage and loss of sensitive data. Organizations should assess their exposure and the potential blast radius of this vulnerability.

With a CVSS score of 6.4, organizations should address this vulnerability in their priority patch cycle.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

All versions of the Divi Torque Lite plugin prior to version 4.1.0 are affected by this vulnerability.

Mitigation & Remediation

Organizations should update the Divi Torque Lite plugin to the latest version to ensure the vulnerability is patched. If an immediate upgrade is not possible, it is recommended to disable the affected widgets and perform thorough code reviews to ensure input sanitization is performed correctly.

Further, organizations can benefit from implementing security practices such as regular security assessments, including application security assessments to identify and remediate similar vulnerabilities.

Detection Guidance

To detect potential exploitation attempts of this vulnerability, organizations should monitor for unusual user behavior, particularly from authenticated users. Log indicators such as attempts to inject scripts or access certain widgets may signal an ongoing attack.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2025-0353 lies in the ongoing risks associated with inadequate input sanitization practices in widely used plugins. It highlights the necessity for developers to prioritize security during the development process.

Security teams should learn from this incident to enhance their vulnerability management programs, focusing on continuous security testing and proactive threat modeling.

Organizations are encouraged to adopt a robust security posture by integrating practices such as penetration testing and regular security audits to ensure all systems are secured against evolving threats.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2025-0353: Medium Vulnerability in WordPress Divi Torque Lite Plugin