An email was sent out by Elegant Themes today August 3rd, 2020 about a security issue in a number of their products. The security issue allows a logged user with access to the Divi Builder to upload disallowed files. One a disallowed file is uploaded, the attacker could then further exploit WordPress or the hosting account the WordPress site is located on.
- WordFence Blog Post – https://www.wordfence.com/blog/2020/08/critical-vulnerability-exposes-over-700000-sites-using-divi-extra-and-divi-builder/
- Elegant Themes Email – https://us7.campaign-archive.com/?u=9ae7aa91c578052b052b864d6&id=cb6b4b1ed3
What should you do?
If you’re running Divi or Extra theme, update them immediately. If you for some reason are just using the Divi Builder plugin, update it immediately.
However, if you don’t have WordPress accounts with access to Divi builder, then your action doesn’t have to be immediate. The only way an attacker can exploit this security issue is by having a login that can access the Divi builder.
Need Help with your WordPress site?
If you have issues with your WordPress site or require a WordPress export, then we’ve got you covered! Fill out the form below and someone will be in touch with you.
Elegant Themes Handled this...Properly?
This was handled properly, but there are definitely some things they could have done better. This wasn't posted on the WPScan Vulnerability Database right away, but it's listed now. I had reached out to their support chat and advised they should submit this to WPDB right away so that all the various security plugins pull in the vulnerability and report on it.
Elegant Themes (Divi 3.0 - 4.5.2, Extra 2.0 - 4.5.2, Divi Builder 2.0 - 4.5.2) - Authenticated Arbitrary File Upload - https://wpvulndb.com/vulnerabilities/10342
Email From Elegant Themes
Here's the full email from elegant themes.
Elegant Themes Security Update
Today Divi, Extra and the Divi Builder plugin were updated to fix a security vulnerability. Updating these themes and plugins to their latest versions will fix the problem and keep your website secure.
The builder lacked sufficient file type checks in the Divi Portability system, allowing for arbitrary file uploads. This is a critical security issue that could allow logged-in contributors, authors and editors with access to the builder to upload disallowed files to the server, leading to further exploit.
This vulnerability was discovered by WordFence in an internal audit and responsibly disclosed to our team, allowing us to fix the problem before it had been actively exploited.
Are You Affected?
Every website with potentially untrustworthy users that have access to the builder using Divi version 3.0 and above, Extra 2.0 and above or Divi Builder version 2.0 and above are affected and should update to the latest product versions. Product versions 4.5.3 include the security patch.
How To Fix It
Updating your themes and plugins will fix this problem. You can update your themes or plugin from within your WordPress dashboard, or you can download the latest versions from the members area and update them manually.
What If You Can't Update Right Now?
If you are unable to update your themes/plugins right away, you can use our security patcher plugin to patch the vulnerability without updating your products. This is a free download for all customers. Installing this plugin will fix the problem, and you can continue to use the security patcher plugin until you are able to update your products to their latest versions.
Has Your Account Expired?
We are making these updates available for free to all expired accounts. Even if your account has expired, you can still update your themes or plugins to their latest versions via your WordPress dashboard. Expired accounts will not be restricted from updating.
We Are Here To Help
Security is extremely important to us and we take a number of precautions to help mitigate issues like this. We will continue to work hard to prevent similar mistakes from happening in the future.
If you have any questions or concerns, please know that our virtual doors are always open. If there is anything we can do to help, just let us know.