Hacks and Incidents

Elegant Themes Divi builder and Plugin Options vulnerabilities

Some WordPress themes from ElegantThemes (http://www.elegantthemes.com) are vulnerable to user privilege escalation.

Below the complete advisory information:

Today our divi builder and plugin options frameworks were updated to fix a security vulnerability. The vulnerability affects several of our themes and plugins, including our Divi (http://www.elegantthemes.com/gallery/divi/) , Extra (http://www.elegantthemes.com/gallery/extra/) , and Divi 2.3 (legacy) themes, as well as our Divi Builder (http://www.elegantthemes.com/plugins/divi-builder/) , Bloom (http://www.elegantthemes.com/plugins/bloom/) and Monarch (http://www.elegantthemes.com/plugins/monarch/) plugins.

Updating these themes and plugins to their latest versions will patch this vulnerability, keeping your websites safe. These are critical updates.

There have been no reports of exploit attempts against this vulnerability. The vulnerability was privately disclosed to our team and we worked closely with the researcher, our team and a third-party security vendor to identify and patch the vulnerability quickly.

The Security Vulnerability

An information disclosure vulnerability was found in the Divi Builder (included in our Divi and Extra themes, as well as our Divi Builder plugin) which resulted in the potential for user privilege escalation. If properly exploited, it could allow registered users, regardless of role, on your WordPress installation to perform a subset of actions within the Divi Builder, including the ability to manipulate posts.

A similar flaw was found in Bloom and Monarch, creating the potential for registered WordPress users to manipulate plugin settings.

If you are using any of the products listed above and you have untrusted authors, plugins that allow user registration or you have enabled open user registration, you are at risk from this vulnerability.

How To Fix It

Updating your themes and plugins will fix this problem.

You can update your theme (http://www.elegantthemes.com/gallery/divi/documentation/update/) or update your plugin (http://www.elegantthemes.com/plugins/divi-builder/documentation/update/) using our elegant updater plugin, or you can download the latest versions from the members area (https://www.elegantthemes.com/members-area/) and update them manually (https://www.elegantthemes.com/members-area/documentation.html#updater) . We have also created an upgrade path for our legacy Divi 2.3 theme. If you have been using this legacy version and do not wish to upgrade fully, you will notice an update notification for version 2.3.4 is now available. You can also download version 2.3.4 from the members area. This will patch the vulnerability without adding new features.

The following product versions are patched and secured:

  • Divi 2.6.4
  • Divi (legacy) 2.3.4
  • Divi Builder 1.2.4
  • Extra 1.2.4
  • Bloom 1.1.1
  • Monarch 1.2.7

Has Your Account Expired?

We are making these updates available for free to all expired accounts. We want as many people as possible to have easy access to this patch. Even if your account has expired, you can still use our updater plugin to update to this particular theme/plugin version. Expired accounts will not be restricted from updating. You can also contact us to have the latest versions sent to you if you have forgotten your username and API key. Simply reply to this email.

What If You Can’t Update Right Now?

It’s not recommended that you continue to use affected versions. If you are unable to update your themes/plugins right away, we’ve compiled a list of actions you can take to lessen the potential exposure:

* Install The Security Patcher: We created a plugin that will patch the issue without upgrading your versions. This is a free download (https://www.elegantthemes.com/members-area/security/) for all customers. This is ideal for anyone that is unable to upgrade for whatever reason. Installing this plugin along with out-dated versions of our themes & plugins will patch known vulnerabilities in our products to the best of its ability.

* Disable User Registration: It’s suggested that you delete any untrusted registered users from your WordPress installation, disable plugins that allow for user registration and make sure that you have not enabled the anyone can register setting (https://codex.wordpress.org/Settings_General_Screen) in your WordPress Dashboard. This vulnerability only applies to WordPress websites that have untrusted registered users, so disallowing user registration will effectively remove the potential for user privilege escalation.

* Web Application Firewalls: We have coordinated with Sucuri’s CloudProxy (https://sucuri.net/website-firewall/) team and they have virtually patched the vulnerability within their network. Utilizing the CloudProxy WAF will help specifically target and protect some aspects of this vulnerability.

The above steps are not necessary if you have upgraded your themes and plugins. Upgrading should be considered the only true fix, but we understand that in some circumstances this may prove difficult. In those cases, the recommendations above are most effective.

Security is Very Important to Us

I can personally assure you that security is paramount here at Elegant Themes. We take a number of precautions to help mitigate issues like this. Some of those precautions include internal peer reviews and occasional third-party independent reviews, including static / dynamic code analysis and human line-by-line code audits. Regardless, in this instance, something slipped through the process and we’re working hard to identify how, but more importantly how to avoid it in the future.

While our team worked to fix these vulnerabilities, we also contacted Sucuri, a leading WordPress security research team, to perform a new and complete security audit of Divi and the included divi builder framework. We followed this up with a full internal re-review of all affected products.

I can not begin to express my apologies for the inconvenience this may present to our customers. We are extremely disappointed that this occurred, and will continue to work towards providing you the exemplary products you have come to expect. As a member of Elegant Themes, you can be sure that we will always be here to help keep you and your client’s websites safe. As a final reminder, please remember to always keep your themes and plugins updated. In this case, a timely upgrade is all that’s needed to secure your websites.

If you have any questions or concerns, please know that our virtual doors are always open. If there is anything we can do to help, just let us know.

Best Wishes,
Nick Roach

 

Standard