33 Comments

  1. J

    Kudos to them for disclosing it and not covering it up.

    Report

    • Bob

      Yes, but I was surprised by the absence of a post covering the issue on https://www.elegantthemes.com/blog/.

      After receiving the email, I’m sure I wasn’t the only one looking for updates and discussion on the situation over there.

      Given the critical nature of the vulnerability and the number of people affected, surely that would go hand in hand with email notification which is hit and miss at the best of times?

      Perhaps not the kind of post people love to write, but ultimately positive for a brand.

      For instance, I think this kind of disclosure builds trust: http://blog.linuxmint.com/?p=2994

      Or perhaps I’m being a bit harsh?

      Report

      • Nick Roach

        Hi Bob,

        Email is the most effective way for us to communicate with our customers in a situation like this, and it’s also the best way for us to facilitation post-disclosure support and updated assistance on an individual basis. Unlike LinuxMint, which is a free product, we have the contact info of all our users, which is why we took this route. In this case we used the email itself as our public disclosure, publicizing it on MailChimp and linking to it directly in our changelogs so that the info could be shared.

        We didn’t just send one email. We are continuing to use our MailChimp open rate stats to re-send the disclosure to anyone who didn’t open the first one, and we will keep doing so until we help as many people upgrade as possible. We are working hard to keep everyone safe.

        I understand your point though, and perhaps a followup blog post is warranted. We prioritized email in this case.

        Report

  2. James Golovich

    I originally discovered this issue and disclosed it to Elegant Themes. After sufficient time has passed I will publish my full disclosure post detailing the information.

    Report

    • Reid

      Please do so soon, as their current fix very nearly cripples the theme. (Basically, they added thousands of esc_html calls) I see a huge increase in cpu use on page builder page edits. Takes my shared server a very, very long time to process a page update now. Perhaps your disclosure will help them find a better way to fix this.

      Report

      • Nick Roach

        Hi Reid,

        Have you had the chance to open a support ticket yet? We would love to take a closer look at your specific issue and address any performance issues where possible. If you are upgrading from an older version (especially one prior to 2.6), then a lot has changed in the Divi Builder, and it’s quite possible that progression in other areas have caused the overall increase in CPU usage you are experiencing. I think the symptoms you are experiencing might be due to a change we made to ajax requests in 2.6.4 which is unrelated to this vulnerability and was actually put in place to reduce peak PHP memory usage. Either way, a closer look and additional information would help us optimize things for you. You can open a new support ticket here: https://www.elegantthemes.com/forum/

        Report

        • Reid

          Ni Nick, thanks for the reply! I will create a ticket and then provide login info for you guys to have a look at this development site.

          Yes, I had updated this site from 2.5.9 to 2.6.4.1, and on further observation much of the lag appaers to be client side. On opening a page to edit or after updating it, my computer will sit at about 50% cpu useage for up to a minute or more. It is making editing long pages with complicated layouts extremely slow. I am even getting typing lag, it will take several seconds for characters to appear after they have been entered.

          I will provide additional detail in the ticket.

          Report

      • Kofta

        So, was the vulnerability that Elegant Themes forgot escaping, lol?

        Report

    • Nick Roach

      Thank you for responsibly disclosing this vulnerability to us James. We couldn’t be more disappointed in ourselves for making this mistake, but we are glad that we were able to identify and fix the problem before any of our customers were reportedly affected, and we are doing everything we can to make it easy for our customers (active and expired) to update their software quickly. We are working hard to identify how this happened, and more importantly how we can prevent it from happening in the future.

      Report

  3. Shadi

    It’s not 100% clear if this includes Divi v2.2 or not?

    Report

    • Nick Roach

      Hi Shadi,

      All versions of Divi are affected. From version 2.2, you can upgrade to 2.3.4 (legacy), which will fix the vulnerability without adding lots of new features. Versions 2.6.4 is the most recent version. 2.6.4 and above are also secure. You will see these update notifications in your WordPress dashboard, but you can also contact us directly if you need assistance.

      Report

  4. Joel

    Does anyone know where to find the Security Patcher plugin?

    Report

  5. Cyclopsthere

    Kudos to ElegantThemes, now if they could work on their support forum, the search feature is abysmal and by the time someone replies I’ve already given up and switched to a different theme.

    Report

  6. willc

    I’m a Lifetime Access member at Elegant Themes but I never received the email. Luckily, I saw this in news articles this morning. How do I get signed up for these alerts?

    Report

    • Nick Roach

      Hi Will,

      You might want to check to make sure your email address is up to date in your Elegant Themes account and check your email spam folder as well. We sent out emails to everyone, and we plan to continue re-sending the disclosure to those that have not opened the original email (using our MailChimp open rate stats).

      Report

  7. David McCan

    I appreciate the thorough and responsible actions taken to get the fix out. I’ve been very impressed with Elegant Themes.

    Report

  8. S K Mathew

    I got the email alert from elegant themes. And in gmail it was in update folder.
    My membership was expired but one of the sites that had elegant theme updater plugin updated to a safe version.
    Thanks Elegant themes for responding to the issue in a professional way.

    Report

  9. Keith Davis

    All sites now updated – thanks to Nick Roach and his team over at ET.

    And of course thanks to Sarah…. always ahead of the game.

    Report

  10. Terence

    I am beginning to think I made a big mistake in buying the Divi theme for my current project ~ I don’t get security warnings about important vulnerabilities discovered, my answers to requests for help are responded to by @Nick Roach (Founder & Lead Developer), and my support ticket has remained unanswered for nearly a week . So much for their Satisfaction Ratings and Our Pledge To Better Understand Each & Every Customer ~ it obviously doesn’t extend as far as me.

    Report

    • Nick

      Sorry to hear that Terence. I checked the ticket you linked to, and it appears that our team responded to you daily and eventually helped you perform the customization you were requesting. I checked your most recent tickets as well, and they have all been responded to and resolved. If you need anything else, we are here to help.

      Report

      • Terence

        Thanks Nick.

        Yes, I was very grateful when they did that since I had only asked for their advice on why it was not working. I just assumed they were just embarrassed about how long it had taken to get a response.

        A month ago I asked why ~ No styling for input[type=number] fields ~ and was told “Our Dev team will fix it as soon as it possible”. Since then I heard nothing.

        Plus I also asked about ~ Blog body font size ~ and was given the correct answer by “Jack D” the same day.

        So it’s not all bad news. But all that still doesn’t change the fact that I did NOT receive a critical security update notification by email, and I was NOT informed in my client dashboard.

        The first I knew about it was when I read it here on WP Tavern {thank you WP Tavern!!!!}

        Report

Comments are closed.

%d bloggers like this: