WordPress Divi Builder PHP Code Injection
Elegant Themes’ Divi Builder is the most popular WordPress page builder. It enables users to build beautiful pages without knowing how to code. The Divi Builder WordPress plugin is vulnerable to a content injection attack that lets attackers inject and execute arbitrary code because the application fails to sanitize user-supplied input. Attackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process.
During a routine security audit, critical vulnerabilities were found in the Divi Builder Plugin, Divi Theme, and Extra Theme. This vulnerability can be exploited and could potentially get your wordpress site hacked.
You must update to plugin version 4.0.10 or latest and take immediate steps to fix the vulnerability.
Vulnerable Plugins & Themes:
- Divi Builder Plugin
- Divi Theme
- Extra Theme
- Vulnerability Disclosed: 02-01-2020
- Patch Release Date: 03-01-2020
- Divi Builder Plugin – 4.0.10
- Divi Theme – 4.0.10
- Extra Theme – 4.0.10
Over 600,000 websites are using Divi Builder. Many of these websites are also powered by the Divi or the Extra Theme.
Right away, the Elegant Themes team has released updates for their affected products, which fixes those security issues and fixes a few other bugs.
So updating Divi, Extra, and the Divi Builder plugin is important and urgent.
Divi is incredibly easy to use and you’ll be building websites in record time.
Divi Builder, which was added to Divi 4.0, allows you to create your website on the front-end in real-time.
In other words, you see your changes as you make them, eliminating back-end trips, saving you a lot of time.
All elements on the page can be easily customized; it’s all point and clicks. If you want to move items around, drag and drop functionality is at your disposal.
You must take immediate steps to fix the vulnerability. In this article, we’ll tell you what you need to protect your website.
Request A Free WordPress Security Audit Here
What is the Divi Vulnerability & its Impact?
An internal code audit of Elegant Themes has detected several security vulnerabilities in the most popular and current products of the company of the famous Divi theme.
It allows users’ roles like contributors, authors, and editors to execute certain PHP functions.
The vulnerability can be exploited by untrustworthy users. If you are affected by the vulnerability, you need to take immediate action.
A privilege escalation vulnerability was discovered that could allow low-level users, such as those in the Author profile, to use unfiltered HTML within post content when using the Divi constructor.
The use of this code in the entries is usually reserved for administrators.
Are You Affected by the Divi Vulnerability?
The problems identified affect all websites that use the Divi theme, the Extra theme or the Divi Builder plugin. It specifically affects these websites that also have an open user registry or low-level authors of the publication.
Websites running the following versions are affected by the vulnerability –
- Divi Builder version 2.23 and above.
- Divi version 3.23 and above.
- Extra 2.23 and above.
How do you know what Divi Builder version you have?
To check which version of the Divi Builder plugin you are using,
- log into your WordPress dashboard,
- go to Plugins > Installed Plugins > Divi Builder.
You will find a small description of the plugin along with the plugin version.
As for the themes,
- go to Appearance > Themes > Divi & Extra and then click on Details.
You’ll find the version of the theme.
How to Fix Website Affected by the Divi Vulnerability?
Updating your themes and plugins will patch errors and improve the security of your wordpress website. You can update your themes or plugins from the WordPress control panel, or you can download the latest versions from the Elegant Themes member area and update them manually.
Following the discovery of the vulnerability, the Elegant Themes team released a patch in the form of an update.
To update the plugin and themes, you need to log into your WordPress dashboard and select Updates from the menu.
On the Updates page, you can see all the themes and plugins that you need to update.
- Select Divi Builder plugin and click on Update Plugin
- Select Divi and Extra theme and click and Update Theme
The plugin and themes will be updated to version 4.0.10 which contains the security patch.
In addition to this vulnerability, the following are also updated:
Divi – Extra
- Fixed right-click fixed controls on empty full-width sections
- Added missing options for border styles and backgrounds tabs.
- Fixed languages that use citation characters other than those used in English, causing dynamic content to not display correctly on the web.
Monarch, Bloom and Divi Builder
- Fixed problem with the display of dynamic content in global modules in some circumstances.
- Fixed issue where button text option could not be copied between button modules.
- Fixed visual constructor selection control only being thrown in an onChange event when needed.
- Fixed the display of the inner box-shadow in the visual constructor.
- Fixed the Blurb module title link not being applied to the title.
- Fixed HTML filtering incorrectly in before and after settings for dynamic content.
- Fixed incompatibility of the Autoptimize plugin with the visual constructor, which caused the rich text control to not work.
- Fixed the amount of the bar counter not changing when hovering in percentages of small amounts.
What About Expired Divi Accounts?
These updates for Divi, Extra, and the Divi Builder plugin are available for free for all expired accounts. Even if your account has expired, you can update your themes or plugins to their latest versions through the WordPress control panel. Expired accounts will not have update restrictions.
This is not the case for Bloom or Monarch updates, for which you need to have an active license.
Has Your Website Been Hacked?
Hackers are always on the lookout for vulnerabilities that they can exploit to carry out their misdeeds. If you have the slightest suspicion that your website is hacked, it’s best to scan your website using WP Hacked Help Scanner.
Many WordPress site owners are using outdated plugins and themes.
As these plugins and themes contain known vulnerabilities, it is very easy for a hacker to exploit them.
Therefore, if the plugin developer offers an update, you should hasten to follow it.
Likewise, do not keep any unnecessary or disabled theme or plugin on your server: as long as it is present on it, it represents a potential threat. To keep you website safe from hacking you should keep the plugin and WordPress up to dated with correct wordpress file permissions and follow our Step by Step WordPress security checklist guide.
Update your plugins and themes
For plugins and themes that you had not updated (ie the ones most likely to have been hacked), you can remove them, and reinstall them.
- Check the security of the plugin or theme before reinstalling.
- Do not reinstall any free plugins or themes that you got outside of WordPress plugin and theme directories. Buy premium versions instead or replace them with free but secure alternatives.
- Stay away from nulled wordpress themes as they can be infected with mailicous code. Check here to scan your wordpress theme for malware.
- If the problem persists, you may need to reinstall WordPress itself. Files compromised in the WordPress core will be replaced with a “clean” installation.
- Make sure you update your site with recent wordpress security updates.
Even if you trust all your users and feel your website is not in harm’s way right now, you should patch the vulnerability.
As we always say, you have to always keep everything updated, and especially the theme and plugins that you use the most, for yourself or for clients.
To make sure that the security hole has been filled, the best solution is to call on a WP Hacked Help expert to perform a security audit on your site.