Written by Editorial Team on January 6, 2020

Critical Vulnerabilities Found in Divi Builder by Elegant Themes (And How To Fix It)

Latest Divi Theme Vulnerabilities

Of friendship on inhabiting diminution discovered as. Did friendly eat breeding building few nor. Object he barton no effect played valley afford.
Airplane Icon

Theme & Plugin Affected

The affected ones are Divi Builder Plugin, Divi Theme and Extra Theme
Readability Boost Icon

Vulnerability Disclosed

Vulnerabilities were discovered on 2nd January 2020
WordPress SEO Icon

Patch Release Date

Security and update patch was release on 3rd January 2020
Bounce Rate Icon

Patched Version

Divi Builder Plugin (4.0.10), Divi Theme (4.0.10) and Extra Theme (4.0.10)

Security Updates for Divi Theme, Divi Builder Plugin and Extra Theme

Divi Security Vulnerability

Divi Builder by Elegant Themes is one of the most popular WordPress page builders that allow users to build beautiful WordPress pages without using a single line of code. At this point of writing, there are over 600,000 websites using Divi Builder and most of them are powered by either Divi Theme or the Extra Theme.

On 2nd January 2020, critical vulnerabilities were found in all the three popular products—Divi Builder Plugin, Divi Theme and the Extra Theme. It is important to understand that this vulnerability can be exploited and could potentially damage your website.

We recommend you to take immediate steps to fix the security vulnerability, which we will show you in this article.

What Is The Divi Vulnerability & Its Impact?

During a routine security audit, a type of vulnerability called the code injection vulnerability was discovered by the Elegant Themes team. It allows users roles like contributors, authors, and editors to execute certain PHP functions. 

The vulnerability can be exploited by untrustworthy users. If you are affected by the vulnerability, you need to take immediate action. 

How To Know If You Are Affected By The Divi Vulnerability?

Websites owners who are running the following versions are affected by the vulnerability:

  • Divi Builder version 2.23 and above 
  • Divi version 3.23 and above 
  • Extra 2.23 and above

In order to know what version you are using on your website, you can find out with this method.

  1. To learn what version of the Divi Builder plugin you are using, log into your WordPress dashboard, go to Plugins > Installed Plugins > Divi Builder. You will find a small description of the plugin along with the plugin version.
  2. As for the themes, go to Appearance > Themes > Divi & Extra and then click on Details. You’ll find the version of the theme.

Take a look at the image below to further understand the method.

Divi Theme Update Divi Vulnerability

How To Fix Websites Affected By The Vulnerability In Divi?

The easiest way is to update the plugin and the theme to fix the vulnerability issue.

Upon discovery of the vulnerability, the team behind Elegant Themes had released a patch in the form of an update. 

You need to update Divi related plugins or themes through your WordPress dashboard.

Here's how it is done.

Updating WordPress Theme And Plugins

In the Updates page, you can see all the themes and plugins that you need to update. 

  • Select Divi Builder plugin and click on Update Plugin
  • Select Divi and Extra theme and click and Update Theme 

The plugin and themes will be updated to version 4.0.10 which contains the security patch. 

Can Expired Divi Accounts Get Free Updates?

Due to the seriousness of the Divi vulnerability, you can now update your Divi themes or plugins through your WordPress dashboard.

How To Know If My Website Been Hacked?

How To Know If My Website Is Hacked

Here's the thing. Hackers are always on the lookout for vulnerabilities that they can exploit to carry out their misdeeds.

Here are some of the ways you know your WordPress website had been hacked.

  1. You are unable to login to your wp-admin
  2. Your website layout is not the same (as previous)
  3. You noticed links on your website are pointing to scam sites
  4. You receive a notification on Google Search Console

How To Clean A Hacked WordPress Website?

We are sorry that your WordPress website was hacked. Here are simple ways you can take to remove malware and fix a hacked WordPress website.

  1. Scan your website using Sucuri free security scanner (link).
  2. Check core files if they are clean. The quickest way to confirm the integrity of your WordPress core files is by using the diff command in terminal. If you are not comfortable using the command line, you can manually check your files via SFTP.
  3. Check for recently modified files (guide).
  4. Use Google Transparency Report to see if your website is compromised in any way.
  5. Find the latest backup version of your WordPress website and reinstate. If your web hosting doesn't offer backup, we recommend you to switch host immediately go for reliable ones such as Kinsta or BlueHost.
  6. Update all the latest WordPress themes and plugins.
  7. Check your database to ensure clean up is done correctly.

Keeping Your Divi Websites Safe From Hackers

Last but not least, it is important to ensure that your Divi websites are safe. Always use strong passwords and making sure everything is updated are the two most important part of avoiding any vulnerabilities.

Article written by Editorial Team

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts