WordPress websites powered by “Divi” and “Extra” by Elegant Themes and “Divi Builder” vulnerable to remote execution of code by uploading an arbitrary PHP file
One of the most popular WordPress theme makers, Elegant Themes’ Divi and Extra themes are vulnerable to remote code execution flaw. There are approximately 700,000 websites currently active that use either Divi, Extra, or Divi Builder for their content management system(CMS). Divi. One of the features of the Divi theme is that it comes with the Divi Page Builder that makes the site design and editing process easy and customizable by dragging and dropping. In addition to the Divi theme, Elegant Themes offers an alternative theme, Extra, that includes the Divi Builder. The standalone Divi Builder plugin is also available and can be used with any theme.
Divi vulnerability allows hackers to remotely execute arbitrary code by uploading an arbitrary PHP file by a user who has “contributor” or higher authority access to the plugin. The common vulnerability assessment system “CVSSv3” has a base score of “9.9”.
The Wordfence team reached out to Elegant Themes about this vulnerability and it was fixed in the patch released on 3rd August. “We initially reached out to Elegant Themes on July 23, 2020, and, after establishing an appropriate communication channel, we provided the full disclosure details on July 28, 2020. The developers responded on June 29, 2020, to let us know a patch would be coming in the next version. Patches were released yesterday, on August 3, 2020, in version 4.5.3 for all products,” Wordfence says.
Alternatively, Divi users can download Security Patcher Plugin until you can update your CMS fully.