Elegant Themes emailed its customers last night to inform them of a critical security vulnerability affecting a large segment of its product line. An information disclosure vulnerability was found in the Divi Builder (included in our Divi and Extra themes, as well as our Divi Builder plugin) which resulted in the potential for user privilege escalation. If properly exploited, it could allow registered users, regardless of role, on your WordPress installation to perform a subset of actions within the Divi Builder, including the ability to manipulate posts. In addition to the Divi Builder, the vulnerability was also found in the Divi, Extra, and Divi 2.3 (legacy) themes and the Boom and Monarch plugins. It was privately disclosed and promptly patched by Elegant Themes with the help of a third-party security vendor. No known exploit attempts have been made. Updating the themes and plugins will fix the vulnerability but the patches were created only for the most recent versions. Legacy theme customers now have an upgrade path, including a version that doesn’t add new functionality. Customers who are not ready to update are advised to turn registration off on their sites, as untrusted users
Share This