There are many websites we work on that have been built in WordPress using Divi, Extra and the Divi Builder. On August 3, 2020 the creator of those plugins, Elegant Themes, issued a significant fix to a security vulnerability that was discovered by WordFence (a website security app). The problem has not been actively exploited but the developer is urging people to update their plugins.
We always encourage people to ensure all plugins on their website are updated to avoid security issues. As well, it is good to backup your website regularly so it can be restored in the event of a critical failure. If you're unsure of how to do this, let us know and we can help!
In the meantime, here are the technical details from Elegant Themes about this particular issue.
The builder lacked sufficient file type checks in the Divi Portability system, allowing for arbitrary file uploads. This is a critical security issue that could allow logged-in contributors, authors and editors with access to the builder to upload disallowed files to the server, leading to further exploit.
This vulnerability was discovered by WordFence in an internal audit and responsibly disclosed to our team, allowing us to fix the problem before it had been actively exploited.
Are You Affected?
Every website with potentially untrustworthy users that have access to the builder using Divi version 3.0 and above, Extra 2.0 and above or Divi Builder version 2.0 and above are affected and should update to the latest product versions. Product versions 4.5.3 include the security patch.
How To Fix It
Updating your themes and plugins will fix this problem. You can update your themes or plugin from within your WordPress dashboard, or you can download the latest versions from the members area and update them manually.
What If You Can't Update Right Now?
If you are unable to update your themes/plugins right away, you can use our security patcher plugin to patch the vulnerability without updating your products. This is a free download for all customers. Installing this plugin will fix the problem, and you can continue to use the security patcher plugin until you are able to update your products to their latest versions.
Has Your Account Expired?
We are making these updates available for free to all expired accounts. Even if your account has expired, you can still update your themes or plugins to their latest versions via your WordPress dashboard. Expired accounts will not be restricted from updating.
We Are Here To Help
Security is extremely important to us and we take a number of precautions to help mitigate issues like this. We will continue to work hard to prevent similar mistakes from happening in the future.
If you have any questions or concerns, please know that our virtual doors are always open. If there is anything we can do to help, just let us know.