700,000 WordPress websites using Divi theme vulnerable to Remote code execution flaw


WordPress websites powered by “Divi” and “Extra” by Elegant Themes and “Divi Builder” vulnerable to remote execution of code by uploading an arbitrary PHP file

One of the most popular WordPress theme makers, Elegant Themes’ Divi and Extra themes are vulnerable to remote code execution flaw. There are approximately 700,000 websites currently active that use either Divi, Extra, or Divi Builder for their content management system(CMS). Divi. One of the features of the Divi theme is that it comes with the Divi Page Builder that makes the site design and editing process easy and customizable by dragging and dropping. In addition to the Divi theme, Elegant Themes offers an alternative theme, Extra, that includes the Divi Builder. The standalone Divi Builder plugin is also available and can be used with any theme.

Wordfence security researchers have found vulnerabilities in “Divi” and “Extra” themes made by Elegant Themes and the plug-in “Divi Builder”. The vulnerability resides in the way these themes used a client-side file type verification check but did not do a server-side verification check. This flaw made it possible for authenticated attackers to easily bypass the JavaScript client-side check and upload malicious PHP files to a targeted website. An attacker could easily use a malicious file uploaded via this method to completely take over a site.

Divi vulnerability allows hackers to remotely execute arbitrary code by uploading an arbitrary PHP file by a user who has “contributor” or higher authority access to the plugin. The common vulnerability assessment system “CVSSv3” has a base score of “9.9”.  

The Wordfence team reached out to Elegant Themes about this vulnerability and it was fixed in the patch released on 3rd August. “We initially reached out to Elegant Themes on July 23, 2020, and, after establishing an appropriate communication channel, we provided the full disclosure details on July 28, 2020. The developers responded on June 29, 2020, to let us know a patch would be coming in the next version. Patches were released yesterday, on August 3, 2020, in version 4.5.3 for all products,” Wordfence says.

Alternatively, Divi users can download Security Patcher Plugin until you can update your CMS fully.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments