Divi Announces Security Vulnerability
The Wordfence Security team has found a security vulnerability in Elegant Themes’s themes Divi and Extra, as well as in the Divi Builder plugin. Elegant Themes writes:
Today Divi, Extra and the Divi Builder plugin were updated to fix a security vulnerability. Updating these themes and plugins to their latest versions will fix the problem and keep your website secure.
The builder lacked sufficient file type checks in the Divi Portability system, allowing for arbitrary file uploads. This is a critical security issue that could allow logged-in contributors, authors and editors with access to the builder to upload disallowed files to the server, leading to further exploit.
Fortunately, the problem looks confined to abuse by existing users, rather than a more general-purpose exploit, but please update Divi (the theme and the plugin) as soon as you can.
Not to pile on, but Divi—and everything else Elegant Themes creates—is fast headed to the absolute bottom of my list of WordPress software quality.
Divi obviously makes a big target for security exploits, and kudos to their team for disclosing the vulnerability. But still, please tell a friend to tell a friend to avoid Divi—and, honestly, Elegant Themes altogether.