Critical Security Vulnerability Discovered in Elegant Themes Products


Elegant Themes emailed its customers last night to inform them of a critical security vulnerability affecting a large segment of its product line.

An information disclosure vulnerability was found in the Divi Builder (included in our Divi and Extra themes, as well as our Divi Builder plugin) which resulted in the potential for user privilege escalation. If properly exploited, it could allow registered users, regardless of role, on your WordPress installation to perform a subset of actions within the Divi Builder, including the ability to manipulate posts.

In addition to the Divi Builder, the vulnerability was also found in the Divi, Extra, and Divi 2.3 (legacy) themes and the Boom and Monarch plugins. It was privately disclosed and promptly patched by Elegant Themes with the help of a third-party security vendor. No known exploit attempts have been made.

Updating the themes and plugins will fix the vulnerability but the patches were created only for the most recent versions. Legacy theme customers now have an upgrade path, including a version that doesn’t add new functionality. Customers who are not ready to update are advised to turn registration off on their sites, as untrusted users increases the possibility of privilege escalation. Elegant Themes also recommends installing its Security Patcher plugin and utilizing the CloudProxy WAF from Sucuri, which has virtually patched the vulnerability.

As of 2015, Elegant Themes has more than 300,000 customers. Given the severity of the vulnerability, the company is also making the updates available for free to all expired accounts via its updater plugin. Customers who have forgotten their login credentials can contact Elegant Themes to have the latest versions of the themes and plugins sent to them.


33 responses to “Critical Security Vulnerability Discovered in Elegant Themes Products”

    • Yes, but I was surprised by the absence of a post covering the issue on

      After receiving the email, I’m sure I wasn’t the only one looking for updates and discussion on the situation over there.

      Given the critical nature of the vulnerability and the number of people affected, surely that would go hand in hand with email notification which is hit and miss at the best of times?

      Perhaps not the kind of post people love to write, but ultimately positive for a brand.

      For instance, I think this kind of disclosure builds trust:

      Or perhaps I’m being a bit harsh?

      • Hi Bob,

        Email is the most effective way for us to communicate with our customers in a situation like this, and it’s also the best way for us to facilitation post-disclosure support and updated assistance on an individual basis. Unlike LinuxMint, which is a free product, we have the contact info of all our users, which is why we took this route. In this case we used the email itself as our public disclosure, publicizing it on MailChimp and linking to it directly in our changelogs so that the info could be shared.

        We didn’t just send one email. We are continuing to use our MailChimp open rate stats to re-send the disclosure to anyone who didn’t open the first one, and we will keep doing so until we help as many people upgrade as possible. We are working hard to keep everyone safe.

        I understand your point though, and perhaps a followup blog post is warranted. We prioritized email in this case.

    • Please do so soon, as their current fix very nearly cripples the theme. (Basically, they added thousands of esc_html calls) I see a huge increase in cpu use on page builder page edits. Takes my shared server a very, very long time to process a page update now. Perhaps your disclosure will help them find a better way to fix this.

      • Hi Reid,

        Have you had the chance to open a support ticket yet? We would love to take a closer look at your specific issue and address any performance issues where possible. If you are upgrading from an older version (especially one prior to 2.6), then a lot has changed in the Divi Builder, and it’s quite possible that progression in other areas have caused the overall increase in CPU usage you are experiencing. I think the symptoms you are experiencing might be due to a change we made to ajax requests in 2.6.4 which is unrelated to this vulnerability and was actually put in place to reduce peak PHP memory usage. Either way, a closer look and additional information would help us optimize things for you. You can open a new support ticket here:

        • Ni Nick, thanks for the reply! I will create a ticket and then provide login info for you guys to have a look at this development site.

          Yes, I had updated this site from 2.5.9 to, and on further observation much of the lag appaers to be client side. On opening a page to edit or after updating it, my computer will sit at about 50% cpu useage for up to a minute or more. It is making editing long pages with complicated layouts extremely slow. I am even getting typing lag, it will take several seconds for characters to appear after they have been entered.

          I will provide additional detail in the ticket.

    • Thank you for responsibly disclosing this vulnerability to us James. We couldn’t be more disappointed in ourselves for making this mistake, but we are glad that we were able to identify and fix the problem before any of our customers were reportedly affected, and we are doing everything we can to make it easy for our customers (active and expired) to update their software quickly. We are working hard to identify how this happened, and more importantly how we can prevent it from happening in the future.

    • Hi Shadi,

      All versions of Divi are affected. From version 2.2, you can upgrade to 2.3.4 (legacy), which will fix the vulnerability without adding lots of new features. Versions 2.6.4 is the most recent version. 2.6.4 and above are also secure. You will see these update notifications in your WordPress dashboard, but you can also contact us directly if you need assistance.

  1. I got the email alert from elegant themes. And in gmail it was in update folder.
    My membership was expired but one of the sites that had elegant theme updater plugin updated to a safe version.
    Thanks Elegant themes for responding to the issue in a professional way.

  2. I am beginning to think I made a big mistake in buying the Divi theme for my current project ~ I don’t get security warnings about important vulnerabilities discovered, my answers to requests for help are responded to by @Nick Roach (Founder & Lead Developer), and my support ticket has remained unanswered for nearly a week . So much for their Satisfaction Ratings and Our Pledge To Better Understand Each & Every Customer ~ it obviously doesn’t extend as far as me.

    • Sorry to hear that Terence. I checked the ticket you linked to, and it appears that our team responded to you daily and eventually helped you perform the customization you were requesting. I checked your most recent tickets as well, and they have all been responded to and resolved. If you need anything else, we are here to help.

      • Thanks Nick.

        Yes, I was very grateful when they did that since I had only asked for their advice on why it was not working. I just assumed they were just embarrassed about how long it had taken to get a response.

        A month ago I asked why ~ No styling for input[type=number] fields ~ and was told “Our Dev team will fix it as soon as it possible”. Since then I heard nothing.

        Plus I also asked about ~ Blog body font size ~ and was given the correct answer by “Jack D” the same day.

        So it’s not all bad news. But all that still doesn’t change the fact that I did NOT receive a critical security update notification by email, and I was NOT informed in my client dashboard.

        The first I knew about it was when I read it here on WP Tavern {thank you WP Tavern!!!!}


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: