Researchers at WordFence have recently discovered a security weakness in WordPress’ Elegant Themes Divi, the Divi Builder plugin and Extra themes.
What is the vulnerability?
In essence, this vulnerability allows users with either editing or publishing authorisation to upload harmful files onto a site. In order to do so, a user’s login would first have to be compromised – assuming that a user wouldn’t want to deliberately sabotage their own site.
How has it surfaced?
The vulnerability has resulted from a flaw in the products’ builder functionality. In Divi, the portability feature, which allows users with appropriate access to both export and import templates for pages, has proven to lack a certain check. This unchecked feature means that a hacker can upload PHP files onto the site and would have the means to entirely take over.
WordFence has said the following about the vulnerability:
Elegant Themes also responded to the news:
“Every website with potentially untrustworthy users that have access to the builder using Divi version 3.0 and above, Extra 2.0 and above or Divi Builder version 2.0 and above are affected and should update to the latest product versions. Product versions 4.5.3 include the security patch.”
It should also be noted that while Elegant Themes’ statement references ‘untrustworthy users’, any user could be compromised.
How can it be fixed?
According to Elegant Themes’ statement, the latest version of Divi contains the security patch required to fix the issue. However, for more cautious users, WordFence does offer a security plugin that protects against any WordPress security issues, and it regularly tests plugins for such vulnerabilities.
While we encourage the use of the Classic Editor to our clients, if you use Divi or another WordPress editor and you’re either concerned about your site or would simply like to hand over control to experts in the field, why not contact our team today and see how we can help?