Elegant Themes has announced that several of their products contain a code injection vulnerability and should be updated immediately. This vulnerability allows an untrusted user to execute PHP functions.
Divi, a widely-used WordPress theme, along with two other Elegant Themes products, need to be updated right away by publishers.
Elegant Themes Announcement
The official announcement explained that the vulnerability was discovered during a routine audit.
This is how they described the discovery:
“A code injection vulnerability was discovered by our team during a routine code audit that could allow logged in contributors, authors, and editors to execute a small set of PHP functions.”
Elegant Themes Products with Vulnerability
The vulnerability was found in three Elegant Themes products: the popular Divi theme, Extra theme, and the Divi Builder plugin.
What is the Divi, Extra, and Builder Vulnerability?
This is a code injection vulnerability. It allows logged-in contributors to execute a limited set of PHP functions.
Generally, a code injection attack enables a hacker to execute commands that may compromise the website or even the entire server. Such vulnerabilities can potentially allow a malicious user to install malware on a website.
This vulnerability affects Elegant Theme publishers using Divi version 3.23 and higher, Extra version 2.23 and higher, or Divi Builder version 2.23 and higher, especially those who have given publishing credentials to contributors.
How to Protect Against Divi Vulnerability
Updating to the latest versions of Divi, Extra, and the Divi Builder plugin (versions 4.0.10) will protect against this vulnerability.
While it may not affect users without third-party contributors, authors, and editors, it is still advisable to update the Divi theme due to the numerous bug fixes included in this update.
Updated changelogs for the Divi theme, Elegant Themes Extra theme, and Elegant Themes Builder, along with an archive of the email announcement, are also available.