Table of Contents [TOC]
Elegant Themes’ Divi Builder is the most popular WordPress page builder. It enables users to build beautiful pages without knowing how to code. The Divi Builder WordPress plugin is vulnerable to a content injection attack that lets attackers inject and execute arbitrary code because the application fails to sanitize user-supplied input. Attackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process.
During a routine security audit, critical vulnerabilities were found in the Divi Builder Plugin, Divi Theme, and Extra Theme. This vulnerability can be exploited and could potentially get your wordpress site hacked.
You must update to plugin version 4.0.10 or latest and take immediate steps to fix the vulnerability.
Over 600,000 websites are using Divi Builder. Many of these websites are also powered by the Divi or the Extra Theme.
Right away, the Elegant Themes team has released updates for their affected products, which fixes those security issues and fixes a few other bugs.
So updating Divi, Extra, and the Divi Builder plugin is important and urgent.
Divi is incredibly easy to use and you’ll be building websites in record time.
Divi Builder, which was added to Divi 4.0, allows you to create your website on the front-end in real-time.
In other words, you see your changes as you make them, eliminating back-end trips, saving you a lot of time.
All elements on the page can be easily customized; it’s all point and clicks. If you want to move items around, drag and drop functionality is at your disposal.
You must take immediate steps to fix the vulnerability. In this article, we’ll tell you what you need to protect your website.
An internal code audit of Elegant Themes has detected several security vulnerabilities in the most popular and current products of the company of the famous Divi theme.
It allows users’ roles like contributors, authors, and editors to execute certain PHP functions.
The vulnerability can be exploited by untrustworthy users. If you are affected by the vulnerability, you need to take immediate action.
A privilege escalation vulnerability was discovered that could allow low-level users, such as those in the Author profile, to use unfiltered HTML within post content when using the Divi constructor.
The use of this code in the entries is usually reserved for administrators.
The problems identified affect all websites that use the Divi theme, the Extra theme or the Divi Builder plugin. It specifically affects these websites that also have an open user registry or low-level authors of the publication.
Websites running the following versions are affected by the vulnerability –
To check which version of the Divi Builder plugin you are using,
You will find a small description of the plugin along with the plugin version.
As for the themes,
You’ll find the version of the theme.
Updating your themes and plugins will patch errors and improve the security of your wordpress website. You can update your themes or plugins from the WordPress control panel, or you can download the latest versions from the Elegant Themes member area and update them manually.
Following the discovery of the vulnerability, the Elegant Themes team released a patch in the form of an update.
To update the plugin and themes, you need to log into your WordPress dashboard and select Updates from the menu.
On the Updates page, you can see all the themes and plugins that you need to update.
The plugin and themes will be updated to version 4.0.10 which contains the security patch.
In addition to this vulnerability, the following are also updated:
These updates for Divi, Extra, and the Divi Builder plugin are available for free for all expired accounts. Even if your account has expired, you can update your themes or plugins to their latest versions through the WordPress control panel. Expired accounts will not have update restrictions.
This is not the case for Bloom or Monarch updates, for which you need to have an active license.
Hackers are always on the lookout for vulnerabilities that they can exploit to carry out their misdeeds. If you have the slightest suspicion that your website is hacked, it’s best to scan your website using WP Hacked Help Scanner.
Many WordPress site owners are using outdated plugins and themes.
As these plugins and themes contain known vulnerabilities, it is very easy for a hacker to exploit them.
Therefore, if the plugin developer offers an update, you should hasten to follow it.
Likewise, do not keep any unnecessary or disabled theme or plugin on your server: as long as it is present on it, it represents a potential threat. To keep you website safe from hacking you should keep the plugin and WordPress up to dated with correct wordpress file permissions and follow our Step by Step WordPress security checklist guide.
For plugins and themes that you had not updated (ie the ones most likely to have been hacked), you can remove them, and reinstall them.
Even if you trust all your users and feel your website is not in harm’s way right now, you should patch the vulnerability.
As we always say, you have to always keep everything updated, and especially the theme and plugins that you use the most, for yourself or for clients.
To make sure that the security hole has been filled, the best solution is to call on a WP Hacked Help expert to perform a security audit on your site.