TechnologyWebsite BuildersWordPress Hosting

Critical Divi Builder WordPress Plugin/Theme Vulnerability

Up to date on January 19, 2022

divi builder wordpress exploit

WordPress Divi Builder PHP Code Injection

Elegant Themes’ Divi Builder is the most well-liked WordPress web page builder. It allows customers to construct stunning pages with out understanding tips on how to code. The Divi Builder WordPress plugin is weak to a content material injection assault that lets attackers inject and execute arbitrary code as a result of the applying fails to sanitize user-supplied enter. Attackers can exploit this situation to execute arbitrary PHP code inside the context of the affected webserver course of.

Throughout a routine safety audit, important vulnerabilities had been discovered within the Divi Builder Plugin, Divi Theme, and Additional Theme. This vulnerability might be exploited and will doubtlessly get your wordpress website hacked.


It’s essential to replace to plugin model 4.0.10 or newest and take rapid steps to repair the vulnerability.

Weak Plugins & Themes:

  • Divi Builder Plugin
  • Divi Theme
  • Additional Theme
  • Vulnerability Disclosed: 02-01-2020
  • Patch Launch Date: 03-01-2020

Patched Variations:

  • Divi Builder Plugin – 4.0.10
  • Divi Theme – 4.0.10
  • Additional Theme – 4.0.10

Over 600,000 web sites are utilizing Divi Builder. Many of those web sites are additionally powered by the Divi or the Additional Theme.

Straight away, the Elegant Themes workforce has launched updates for his or her affected merchandise, which fixes these safety points and fixes just a few different bugs.

So updating Divi, Additional, and the Divi Builder plugin is necessary and pressing.


Divi is extremely straightforward to make use of and also you’ll be constructing web sites in file time.

Divi Builder, which was added to Divi 4.0, lets you create your web site on the front-end in real-time.

In different phrases, you see your modifications as you make them, eliminating back-end journeys, saving you plenty of time.

All components on the web page might be simply personalized; it’s all level and clicks. If you wish to transfer objects round, drag and drop performance is at your disposal.


It’s essential to take rapid steps to repair the vulnerability. On this article, we’ll inform you what you must defend your web site.

Request A Free WordPress Safety Audit Right here

What’s the Divi Vulnerability & its Affect?

An inside code audit of Elegant Themes has detected a number of safety vulnerabilities in the most well-liked and present merchandise of the corporate of the well-known Divi theme.

It permits customers’ roles like contributors, authors, and editors to execute sure PHP capabilities.

The vulnerability might be exploited by untrustworthy customers. In case you are affected by the vulnerability, you must take rapid motion.

A privilege escalation vulnerability was found that might permit low-level customers, resembling these within the Creator profile, to make use of unfiltered HTML inside submit content material when utilizing the Divi constructor.

The usage of this code within the entries is normally reserved for directors.

Are You Affected by the Divi Vulnerability?

The issues recognized have an effect on all web sites that use the Divi theme, the Additional theme or the Divi Builder plugin. It particularly impacts these web sites that even have an open person registry or low-level authors of the publication.

Web sites operating the next variations are affected by the vulnerability –

  • Divi Builder model 2.23 and above.
  • Divi model 3.23 and above.
  • Additional 2.23 and above. 


How have you learnt what Divi Builder model you could have?

To examine which model of the Divi Builder plugin you might be utilizing, 

  • log into your WordPress dashboard, 
  • go to Plugins > Put in Plugins > Divi Builder. 

You can find a small description of the plugin together with the plugin model.

As for the themes,

  • go to Look > Themes > Divi & Additional after which click on on Particulars. 

You’ll discover the model of the theme.

Critical Vulnerabilities Found in Divi Builder - Divi Theme Update

Methods to Repair Web site Affected by the Divi Vulnerability?

Updating your themes and plugins will patch errors and enhance the safety of your wordpress web site. You possibly can replace your themes or plugins from the WordPress management panel, or you may obtain the most recent variations from the Elegant Themes member space and replace them manually.

Following the invention of the vulnerability, the Elegant Themes workforce launched a patch within the type of an replace.

To replace the plugin and themes, you must log into your WordPress dashboard and choose Updates from the menu.

Wordpress Updates - Critical Vulnerabilities Found in Divi Builder

On the Updates web page, you may see all of the themes and plugins that you must replace.

  • Choose Divi Builder plugin and click on on Replace Plugin
  • Choose Divi and Additional theme and click on and Replace Theme

The plugin and themes will probably be up to date to model 4.0.10 which accommodates the safety patch.

Along with this vulnerability, the next are additionally up to date:

Divi – Additional

  • Fastened right-click fastened controls on empty full-width sections
  • Added lacking choices for border types and backgrounds tabs.
  • Fastened languages ​​that use quotation characters apart from these utilized in English, inflicting dynamic content material to not show accurately on the internet.

Monarch, Bloom and Divi Builder

  • Fastened downside with the show of dynamic content material in world modules in some circumstances.
  • Fastened situation the place button textual content choice couldn’t be copied between button modules.
  • Fastened visible constructor choice management solely being thrown in an onChange occasion when wanted.
  • Fastened the show of the interior box-shadow within the visible constructor.
  • Fastened the Blurb module title hyperlink not being utilized to the title.
  • Fastened HTML filtering incorrectly in earlier than and after settings for dynamic content material.
  • Fastened incompatibility of the Autoptimize plugin with the visible constructor, which precipitated the wealthy textual content management to not work.
  • Fastened a JavaScript bug that broke some modules in BB when checking dynamic content material.
  • Fastened the quantity of the bar counter not altering when hovering in percentages of small quantities.

What About Expired Divi Accounts?

These updates for Divi, Additional, and the Divi Builder plugin can be found at no cost for all expired accounts. Even when your account has expired, you may replace your themes or plugins to their newest variations by means of the WordPress management panel. Expired accounts is not going to have replace restrictions.

This isn’t the case for Bloom or Monarch updates, for which you must have an lively license.

Has Your Web site Been Hacked?

Hackers are all the time looking out for vulnerabilities that they will exploit to hold out their misdeeds. If in case you have the slightest suspicion that your web site is hacked, it’s greatest to scan your web site utilizing WP Hacked Assist Scanner.

Many WordPress website homeowners are utilizing outdated plugins and themes.

As these plugins and themes include recognized vulnerabilities, it is vitally straightforward for a hacker to take advantage of them.

Subsequently, if the plugin developer gives an replace, you need to hasten to comply with it.

Likewise, don’t maintain any pointless or disabled theme or plugin in your server: so long as it’s current on it, it represents a possible risk. To maintain you web site protected from hacking you need to maintain the plugin and WordPress as much as dated with appropriate wordpress file permissions and comply with our Step by Step WordPress safety guidelines information.

Replace your plugins and themes

For plugins and themes that you just had not up to date (ie those most definitely to have been hacked), you may take away them, and reinstall them.

  • Test the safety of the plugin or theme earlier than reinstalling.
  • Don’t reinstall any free plugins or themes that you just received exterior of WordPress plugin and theme directories. Purchase premium variations as an alternative or change them with free however safe options.
  • Keep away from nulled wordpress themes as they are often contaminated with mailicous code. Test right here to scan your wordpress theme for malware.
  • If the issue persists, it’s possible you’ll have to reinstall WordPress itself. Information compromised within the WordPress core will probably be changed with a “clear” set up.
  • Be sure to replace your website with current wordpress safety updates.


Even should you belief all of your customers and really feel your web site just isn’t in hurt’s means proper now, you need to patch the vulnerability.

As we all the time say, you must all the time maintain every part up to date, and particularly the theme and plugins that you just use essentially the most, for your self or for purchasers.

To guarantee that the safety gap has been stuffed, the most effective resolution is to name on a WP Hacked Assist knowledgeable to carry out a safety audit in your website.

Like this:

Like Loading…

Show More

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *