WordFence researchers have identified a critical vulnerability in Elegant Themes’ Divi and Extra themes, as well as the Divi Builder plugin. This vulnerability enables an attacker to gain complete control over affected websites.
The Divi Builder Plugin is a standalone tool that allows users to incorporate Divi’s builder functionality into any third-party theme. Additionally, the Elegant Themes’ Divi and Extra themes already come with this builder functionality integrated.
The discovered vulnerability originates from a flaw in the builder functionality across all three products.
What the Elegant Themes Vulnerability Is
The Elegant Themes exploit leverages a vulnerability in a Divi feature that permits users with publishing or editing privileges to upload malicious files. To exploit this vulnerability, an attacker first needs to compromise a registered user with those specific privilege levels.
This vulnerability impacts the portability feature in Divi, which allows users with editor, contributor, or author level credentials to import or export page templates. The flaw in this feature permits a malicious attacker to upload PHP files, which can then be used to take over the entire site.
WordFence Description of Vulnerability
WordFence offers a WordPress security plugin that provides protection against various security issues. Part of their service includes testing WordPress plugins to identify vulnerabilities. Users of their premium plugin receive immediate protection against newly discovered security threats.
WordFence elaborates on how the vulnerability compromises websites:
“This flaw made it possible for authenticated attackers to easily bypass the JavaScript client-side check and upload malicious PHP files to a targeted website. An attacker could easily use a malicious file uploaded via this method to completely take over a site.”
Elegant Themes Statement on Vulnerability
While Elegant Themes’ announcement mentions "untrustworthy users," even trustworthy users with weak passwords or compromised accounts could fall victim to this attack.
Below is a screenshot from the Elegant Themes changelog.
“Every website with potentially untrustworthy users that have access to the builder using Divi version 3.0 and above, Extra 2.0 and above or Divi Builder version 2.0 and above are affected and should update to the latest product versions.
Product versions 4.5.3 include the security patch.”
Security Patch Issued for Affected Elegant Themes Products
The vulnerability was discovered on July 23, 2020, by WordFence researchers, and the security patch was tested and released on August 3, 2020.
Update Divi, Extra, and Divi Builder Plugin
All publishers are strongly advised to update their Divi and Extra themes to version 4.5.3 immediately. Those using the standalone Divi Builder plugin should also update to the latest version.
Citations
WordFence
Critical Vulnerability Exposes over 700,000 Sites Using Divi, Extra, and Divi Builder
Elegant Themes Email Announcement
