DIVI Security vulnerability - Bypassing cross-site request forgery checks

edited March 2019 in Web Development

An independent security researcher recently discovered a vulnerability in DIVI by Elegant Themes. A security patch has been released for DIVI builder and DIVI themes, updating these products to their latest versions will apply the patch, keeping your WordPress website secure.

The Problem

Some cross-site request forgery checks within our core product framework could be potentially bypassed. In all cases, these checks were also hardened by user permission checks, however, user permissions checks alone are not sufficient to protect against all CSRF vectors.

Are You Affected?

The problems identified affect any WordPress site using the Divi theme, Extra theme or the Divi Builder plugin. Specifically it affects these websites that also have open user registration or low level post authors.

How To Fix It

There is a available patch for this here or updating the theme and plugins will patch the bugs and improve the security of your WordPress site. If you don't currently have a WordPress SLA or Managed WordPress hosting service, then you will have to apply these updates manually. You can purchase an Elegant Themes API key at reduced rate via our Special Offers page. There is also an option for a $20 one time update for DIVI available here.

Sign In or Register to comment.