CVE-2025-0353 is a stored cross-site scripting vulnerability identified in the Divi Torque Lite plugin for WordPress, a popular addon providing extensions, modules, and social modules for the Divi theme. The vulnerability exists due to improper neutralization of input during web page generation (CWE-79), specifically insufficient sanitization and escaping of user-supplied attributes in multiple widgets. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript payloads into pages or posts. These malicious scripts are stored persistently and executed in the context of any user who views the infected page, enabling attacks such as session hijacking, credential theft, or unauthorized actions performed with the victim's privileges. The vulnerability affects all versions up to and including 4.1.0 of Divi Torque Lite. The CVSS v3.1 base score is 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, privileges required at the contributor level, no user interaction needed, and a scope change indicating that the vulnerability affects resources beyond the attacker’s privileges. No public exploits have been reported yet, but the risk remains significant due to the widespread use of WordPress and the plugin. The vulnerability was published on January 29, 2025, and assigned by Wordfence. No official patches or updates have been linked yet, so mitigation relies on configuration changes and monitoring.

The impact of CVE-2025-0353 is considerable for organizations using the Divi Torque Lite plugin on WordPress sites. Successful exploitation allows an attacker with contributor-level access to inject persistent malicious scripts, which execute in the browsers of site visitors and administrators. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Since contributor-level users can create and edit content but not publish, the vulnerability could be exploited in environments where contributors are trusted but not fully vetted. The scope change means the attacker can affect users with higher privileges, potentially escalating the attack impact. Organizations with public-facing WordPress sites that rely on this plugin risk reputational damage, data breaches, and loss of user trust. The vulnerability does not directly affect availability but compromises confidentiality and integrity. Given the plugin’s popularity, the potential attack surface is large, and automated exploitation tools could emerge if the vulnerability is weaponized.

To mitigate CVE-2025-0353, organizations should first verify if they use the Divi Torque Lite plugin and identify the version installed. Until an official patch is released, administrators should restrict contributor-level user permissions to the minimum necessary, possibly disabling widget editing capabilities or removing untrusted contributors. Implementing a Web Application Firewall (WAF) with custom rules to detect and block suspicious script injection attempts can reduce risk. Site owners should audit all content created by contributors for malicious code and sanitize inputs manually if feasible. Employing security plugins that enforce output escaping and input validation can help mitigate exploitation. Monitoring logs for unusual activity or script injections is advised. Once a vendor patch or update becomes available, immediate application is critical. Additionally, educating contributors about secure content creation and the risks of script injection can reduce accidental exploitation.