Vulnerability in Divi theme and Divi Builder

I received this email today. I know a number of people here are using Divi on ClassicPress so I thought I’d share it.

Elegant Themes Security Update

Today Divi and the Divi Builder plugin were updated to fix a security vulnerability. Updating these themes and plugins to their latest versions will fix the problem and keep your website secure.

The Problem

The builder lacked sufficient file type checks in the Divi Portability system, allowing for arbitrary file uploads. This is a critical security issue that could allow logged-in contributors, authors and editors with access to the builder to upload disallowed files to the server, leading to further exploit.

This vulnerability was discovered by WordFence in an internal audit and responsibly disclosed to our team, allowing us to fix the problem before it had been actively exploited.

Are You Affected?

Every website with potentially untrustworthy users that have access to the builder using Divi version 3.0 and above, Extra 2.0 and above or Divi Builder version 2.0 and above are affected and should update to the latest product versions. Product versions 4.5.3 include the security patch.

How To Fix It

Updating your themes and plugins will fix this problem. You can update your themes or plugin from within your WordPress dashboard, or you can download the latest versions from the members area and update them manually.

What If You Can’t Update Right Now?

If you are unable to update your themes/plugins right away, you can use our security patcher plugin to patch the vulnerability without updating your products. This is a free download for all customers. Installing this plugin will fix the problem, and you can continue to use the security patcher plugin until you are able to update your products to their latest versions.

Has Your Account Expired?

We are making these updates available for free to all expired accounts. Even if your account has expired, you can still update your themes or plugins to their latest versions via your WordPress dashboard. Expired accounts will not be restricted from updating.