Vulnerable Plugins & Themes:
- Divi Builder Plugin
- Divi Theme
- Extra Theme
Vulnerability Disclosed: 02-01-2020
Patch Release Date: 03-01-2020
- Divi Builder Plugin – 4.0.10
- Divi Theme – 4.0.10
- Extra Theme – 4.0.10
Elegant Themes’ Divi Builder is the most popular WordPress page builder. It enables users to build beautiful pages without knowing how to code. Over 600,000 websites are using Divi Builder. Many of these websites are also powered by the Divi or the Extra Theme.
Critical vulnerabilities were found in the Divi Builder Plugin, Divi Theme, and Extra Theme. This vulnerability can be exploited and could potentially damage your website. You must take immediate steps to fix the vulnerability. In this article, we’ll tell you what you need to protect your website.
What is the Divi Vulnerability & its Impact?
During a routine security audit, a type of vulnerability called the code injection vulnerability was discovered by the Elegant Themes team. It allows users roles like contributors, authors, and editors to execute certain PHP functions.
The vulnerability can be exploited by untrustworthy users. If you are affected by the vulnerability, you need to take immediate action.
Are You Affected by the Divi Vulnerability?
Websites running the following versions are affected by the vulnerability –
- Divi Builder version 2.23 and above
- Divi version 3.23 and above
- Extra 2.23 and above
But how do you know what version you are running?
- To learn what version of the Divi Builder plugin you are using, log into your WordPress dashboard, go to Plugins > Installed Plugins > Divi Builder. You will find a small description of the plugin along with the plugin version.
- As for the themes, go to Appearance > Themes > Divi & Extra and then click on Details. You’ll find the version of the theme.
How to Fix Websites Affected by the Divi Vulnerability?
Updating the plugin and the themes will fix the issue.
Following the discovery of the vulnerability, the Elegant Themes team released a patch in the form of an update.
To update the plugin and themes, you need to log into your WordPress dashboard and select Updates from the menu.
In the Updates page, you can see all the themes and plugins that you need to update.
- Select Divi Builder plugin and click on Update Plugin
- Select Divi and Extra theme and click and Update Theme
The plugin and themes will be updated to version 4.0.10 which contains the security patch.
What About Expired Divi Accounts?
If your Elegant Themes subscription has expired, don’t worry, you can still update the software. You don’t need to renew your subscription to receive the update. You can update the software from your WordPress dashboard.
Has Your Website Been Hacked?
Hackers are always on the lookout for vulnerabilities that they can exploit to carry out their misdeeds. If you have the slightest suspicion that your website is hacked (recommended read – signs of a hacked site), it’s best to scan your website. If it turns out that your site is hacked, then you can clean it instantly. Here’s how you can scan and clean your website.
Step 1: Install and activate the WordPress Security Plugin called MalCare. Then add your website to the MalCare dashboard and it will start auto-scanning your website immediately. If it finds malware, you will be notified.
Step 2: To remove malware from your website, click on MalCare’s Auto-Clean button and the plugin will clean your website immediately.
Even if you trust all your users and feel your website is not in harm’s way right now, you should patch the vulnerability.
If a hacker gains access to one of these user accounts, they can exploit the vulnerability to execute malicious commands. The repercussions that follow are severe and expensive to fix. Hence update your Divi Builder plugin, Divi & Extra theme immediately.
We hope you understand how important it is to keep your website updated at all times. The themes and plugins that you use will develop vulnerabilities over time. When developers discover the vulnerability, they release an update with a security patch.
Those who don’t regularly update their website remain vulnerable. We recommend reading our in-depth guide on WordPress updates.
Apart from such vulnerabilities, there are many more threats that your WordPress website can face like brute force attacks on your login page among others. To protect your website from all kinds of threats you need to use a security plugin like MalCare. It scans your website daily, cleans it instantly if it’s hacked and protects it from hackers and bots.
Try MalCare Security Service Right Now!