Elegant Themes emailed its customers last night to inform them of a critical security vulnerability affecting a large segment of its product line.
An information disclosure vulnerability was found in the Divi Builder (included in our Divi and Extra themes, as well as our Divi Builder plugin) which resulted in the potential for user privilege escalation. If properly exploited, it could allow registered users, regardless of role, on your WordPress installation to perform a subset of actions within the Divi Builder, including the ability to manipulate posts.
In addition to the Divi Builder, the vulnerability was also found in the Divi, Extra, and Divi 2.3 (legacy) themes and the Boom and Monarch plugins. It was privately disclosed and promptly patched by Elegant Themes with the help of a third-party security vendor. No known exploit attempts have been made.
Updating the themes and plugins will fix the vulnerability but the patches were created only for the most recent versions. Legacy theme customers now have an upgrade path, including a version that doesn’t add new functionality. Customers who are not ready to update are advised to turn registration off on their sites, as untrusted users increases the possibility of privilege escalation. Elegant Themes also recommends installing its Security Patcher plugin and utilizing the CloudProxy WAF from Sucuri, which has virtually patched the vulnerability.
As of 2015, Elegant Themes has more than 300,000 customers. Given the severity of the vulnerability, the company is also making the updates available for free to all expired accounts via its updater plugin. Customers who have forgotten their login credentials can contact Elegant Themes to have the latest versions of the themes and plugins sent to them.
Kudos to them for disclosing it and not covering it up.