Vulnerability in Website Builder Exposes 700,000 sites

In late July, a threat intelligence team found a vulnerability in themes by Elegant Themes. The themes were Divi, Extra, and the WordPress plugin, Divi Builder. These products combined are downloaded on over 700,000 websites.

The vulnerability allowed attackers the ability to upload PHP files onto any website with the programs downloaded. The attackers also used remote code execution on the website servers.

Elegant Themes is the company that created Divi and Divi Page Builder. These are website editing tools that make website design easy and completely customizable. Divi editor users can import and export page templates with ease, however, this is where the security issue was found. The import/export feature was missing a server-side verification check, which means that the server function that determines if a file is safe was not working.

“This flaw made it possible for authenticated attackers to easily bypass the JavaScript client-side check and upload malicious PHP files to a targeted website. An attacker could easily use a malicious file uploaded via this method to completely take over a site.”

This vulnerability has been patched completely in a new update released in early August. It is recommended that any company using these website builders, updates immediately.

Protect against vulnerabilities

Ostra Cyber Security extends multiple layers of protection around the Internet Service Provider hardening the defenses and creating active barriers preventing criminals from exposing any lurking vulnerabilities.

Want to find out more? Visit or contact us today at