Divi Announces Security Vulnerability

divi builder review | wordpress page builders review

The Wordfence Security team has found a security vulnerability in Elegant Themes’s themes Divi and Extra, as well as in the Divi Builder plugin. Elegant Themes writes:

Today Divi, Extra and the Divi Builder plugin were updated to fix a security vulnerability. Updating these themes and plugins to their latest versions will fix the problem and keep your website secure.

The builder lacked sufficient file type checks in the Divi Portability system, allowing for arbitrary file uploads. This is a critical security issue that could allow logged-in contributors, authors and editors with access to the builder to upload disallowed files to the server, leading to further exploit.

Fortunately, the problem looks confined to abuse by existing users, rather than a more general-purpose exploit, but please update Divi (the theme and the plugin) as soon as you can.

Not to pile on, but Divi—and everything else Elegant Themes creates—is fast headed to the absolute bottom of my list of WordPress software quality.

It’s not just this recent problem; before that, I’ve interacted with two clients in only the past month who cannot use major sections of their sites because the Divi Builder is broken in crucial ways. (One person is experiencing 30-second delays on any interaction on the post editing screen, even with Divi disabled; the other can’t change her Divi layouts because trying to delete a Divi row triggers a JavaScript error.) Because these bugs are baked into the page builder, I can’t fix them: I just have to route around them.

Divi obviously makes a big target for security exploits, and kudos to their team for disclosing the vulnerability. But still, please tell a friend to tell a friend to avoid Divi—and, honestly, Elegant Themes altogether.


Add a Comment

Your email address will not be published. Required fields are marked *