In late July, a threat intelligence team found a vulnerability in themes by Elegant Themes. The themes were Divi, Extra, and the WordPress plugin, Divi Builder. These products combined are downloaded on over 700,000 websites.
The vulnerability allowed attackers the ability to upload PHP files onto any website with the programs downloaded. The attackers also used remote code execution on the website servers.
Elegant Themes is the company that created Divi and Divi Page Builder. These are website editing tools that make website design easy and completely customizable. Divi editor users can import and export page templates with ease, however, this is where the security issue was found. The import/export feature was missing a server-side verification check, which means that the server function that determines if a file is safe was not working.
This vulnerability has been patched completely in a new update released in early August. It is recommended that any company using these website builders, updates immediately.
Protect against vulnerabilities
Ostra Cyber Security extends multiple layers of protection around the Internet Service Provider hardening the defenses and creating active barriers preventing criminals from exposing any lurking vulnerabilities.