A new, critical security hole has been discovered by Wordfence in the popular WordPress theme Divi by Elegant Themes. The security hole affects the Divi theme, Extra as well as the Divi Builder extension.
⚠️ We’ve already enabled a fix for all accounts we’ve identified using Divi that will leave you vulnerable. Read more below.
The security hole is fixed in a new version, 4.5.3 (for all three products) released on August 3. If you use Divi, Extra or Divi Builder, you should update to the new version as soon as possible.
Sites using Divi version 3.0 or higher, Extra version 2.0 or higher, or Divi Builder version 2.0 or higher are vulnerable. The security hole means that an unauthorized user can execute code on your website and your account.
You can read more about the security hole on the Wordfence blog.
Vulnerable website on our servers is patched
You should update to the latest version of Divi, Extra or Divi Builder as soon as possible.
As an interim measure, we have performed a scan on all websites using Divi on our servers and enabled protection against this breach.
The protection is that via the .htaccess file on your site we have protected the ability to run code from the uploads folder in WordPress.
There are very few reasons to ever have to allow code to run from uploads. So it’s a good idea to keep our adjustment, even after you’ve updated.
But sometimes it happens that individual plugins or themes run code directly from the uploads folder. If you notice something suddenly wrong on your site, this may be the reason.