Early in August 2020, WordFence security research team discovered a major security breach found in the WordPress Divi Theme.
Our agency has already patched this update on all our client websites and hosting servers. In addition to the hundreds of sites we manage, there are still 700,000 affected websites by this critical vulnerability, which is being scored as a 9.9/10 for security risk.
Our agency has built hundreds of websites using this theme, and we feel a strong moral duty to let all previous clients and anyone we’ve spoken to know that this exists.
We are now making a Public Service Announcement to ensure that our business community is aware of this critical security risk.
The discovered vulnerability is present in two themes by Elegant Themes, Divi and Extra, as well as Divi Builder, a WordPress plugin. Combined, these products are installed on an estimated 700,000 sites. This flaw gave authenticated attackers, with contributor-level or above capabilities, the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. That means hackers could get full control of the website, server and database – giving them full access to your customer data, passwords and more. This is a huge deal!
How To Fix Your Website
To fix this, we recommend logging into your WordPress website immediately and updating your website software.
What you will need:
- Admin Access to your WordPress website
- An Active Divi Theme Licence Key
If you don’t have an active licence for Divi Theme, you can purchase one through their website for $89 USD per year ($125 AUD) or a lifetime licence for $249 USD ($350 AUD).
Alternatively, our agency can add our licence key to give you lifetime updates, and we can install this for you and get it fixed right away! Simply sign up for any of our web management services or get our one-time Website Audit Report for $99 AUD.
Video on how to update Divi Theme
Updating Your Theme
- Login into your website by going to – yourdomain.com/wp-admin
- Go to “Dashboard” and click “Updates:
- Scroll down to the Themes section, select your theme and select all Themes, then click the “update themes” button.
You need to have an active licence key to update – please contact our agency if you want help, as we can add our licence key.
Social Geeks Web Management and any clients we’ve built websites for are protected against any attacks as we update your software weekly.
If you need our agency to help, we can update this for you along with either of these options:
- One-time Website Health Check Audit Report: Along with fixing this Critical vulnerability, we will provide you with a detailed report on the health of your website, including a server, website & database check. We search for viruses, malware and update any software required to increase performance. A list of recommendations will be provided in the report. which our development team can quote and complete for them at our usual agency rates.
- Ongoing Website Management: for monthly security management, remote backups to ensure their website is safe even if it’s hacked and weekly/monthly reports are outlining website performance, keyword rank tracking (up to 100 words), sales & traffic results and more.
Due to the timeliness of this discovery, we don’t expect websites to have been hacked this quickly; however, it’s a good idea to run scans to ensure your site has not been compromised. We highly recommend using WordFence for your WordPress website even if you’re not using the Divi Theme.
What Can You Do to Help?
This is a critical vulnerability with a 9.9/10 security risk – we need to get the word out there!
PLEASE SHARE THE WORD! Share this article to your business network on LinkedIn, Facebook or via email to ensure that we are helping our fellow business owners keep their websites safe.
Better online living everyone!
Summary of the Vulnerability
Description: Authenticated Arbitrary File Upload
Affected Products: Divi Theme, Extra Theme, and Divi Builder plugin
Theme Slugs: Divi, extra
Plugin Slug: Divi-builder
Affected Versions: (Divi): 3.0 – 4.5.2
Affected Versions: (Extra): 2.0 – 4.5.2
Affected Versions: (Divi Builder): 2.0 – 4.5.2
CVE ID: Pending.
CVSS Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version (same for all products): 4.5.3