WordPress Divi theme compromised

Posted on August 10, 2020

 

Researchers at WordFence have recently discovered a security weakness in WordPress’ Elegant Themes Divi, the Divi Builder plugin and Extra themes.

What is the vulnerability?

In essence, this vulnerability allows users with either editing or publishing authorisation to upload harmful files onto a site. In order to do so, a user’s login would first have to be compromised – assuming that a user wouldn’t want to deliberately sabotage their own site.

How has it surfaced?

The vulnerability has resulted from a flaw in the products’ builder functionality. In Divi, the portability feature, which allows users with appropriate access to both export and import templates for pages, has proven to lack a certain check. This unchecked feature means that a hacker can upload PHP files onto the site and would have the means to entirely take over.

WordFence has said the following about the vulnerability:

“This flaw made it possible for authenticated attackers to easily bypass the JavaScript client-side check and upload malicious PHP files to a targeted website. An attacker could easily use a malicious file uploaded via this method to completely take over a site.”

Elegant Themes also responded to the news:

“Every website with potentially untrustworthy users that have access to the builder using Divi version 3.0 and above, Extra 2.0 and above or Divi Builder version 2.0 and above are affected and should update to the latest product versions. Product versions 4.5.3 include the security patch.”

It should also be noted that while Elegant Themes’ statement references ‘untrustworthy users’, any user could be compromised.

How can it be fixed?

According to Elegant Themes’ statement, the latest version of Divi contains the security patch required to fix the issue. However, for more cautious users, WordFence does offer a security plugin that protects against any WordPress security issues, and it regularly tests plugins for such vulnerabilities.

At Engage Web, we don’t use Divi – we’re long-standing fans of the Classic Editor. You can read more about our views (or perhaps more aptly, Content Team Leader John’s views) here and here.

While we encourage the use of the Classic Editor to our clients, if you use Divi or another WordPress editor and you’re either concerned about your site or would simply like to hand over control to experts in the field, why not contact our team today and see how we can help?

Like us on Facebook to see more posts like this

>
%d bloggers like this:

We have worked with:

[gs_logo logo_cat="clients"]
[gs_logo logo_cat="tech"]
TEL: 0345 621 4321