Critical Security Vulnerability Discovered in Elegant Themes Products

elegant-themes

Elegant Themes emailed its customers last night to inform them of a critical security vulnerability affecting a large segment of its product line.

An information disclosure vulnerability was found in the Divi Builder (included in our Divi and Extra themes, as well as our Divi Builder plugin) which resulted in the potential for user privilege escalation. If properly exploited, it could allow registered users, regardless of role, on your WordPress installation to perform a subset of actions within the Divi Builder, including the ability to manipulate posts.

In addition to the Divi Builder, the vulnerability was also found in the Divi, Extra, and Divi 2.3 (legacy) themes and the Boom and Monarch plugins. It was privately disclosed and promptly patched by Elegant Themes with the help of a third-party security vendor. No known exploit attempts have been made.

Updating the themes and plugins will fix the vulnerability but the patches were created only for the most recent versions. Legacy theme customers now have an upgrade path, including a version that doesn’t add new functionality. Customers who are not ready to update are advised to turn registration off on their sites, as untrusted users increases the possibility of privilege escalation. Elegant Themes also recommends installing its Security Patcher plugin and utilizing the CloudProxy WAF from Sucuri, which has virtually patched the vulnerability.

As of 2015, Elegant Themes has more than 300,000 customers. Given the severity of the vulnerability, the company is also making the updates available for free to all expired accounts via its updater plugin. Customers who have forgotten their login credentials can contact Elegant Themes to have the latest versions of the themes and plugins sent to them.

33 Comments


  1. Kudos to them for disclosing it and not covering it up.

    Report


    1. Yes, but I was surprised by the absence of a post covering the issue on https://www.elegantthemes.com/blog/.

      After receiving the email, I’m sure I wasn’t the only one looking for updates and discussion on the situation over there.

      Given the critical nature of the vulnerability and the number of people affected, surely that would go hand in hand with email notification which is hit and miss at the best of times?

      Perhaps not the kind of post people love to write, but ultimately positive for a brand.

      For instance, I think this kind of disclosure builds trust: http://blog.linuxmint.com/?p=2994

      Or perhaps I’m being a bit harsh?

      Report


      1. Hi Bob,

        Email is the most effective way for us to communicate with our customers in a situation like this, and it’s also the best way for us to facilitation post-disclosure support and updated assistance on an individual basis. Unlike LinuxMint, which is a free product, we have the contact info of all our users, which is why we took this route. In this case we used the email itself as our public disclosure, publicizing it on MailChimp and linking to it directly in our changelogs so that the info could be shared.

        We didn’t just send one email. We are continuing to use our MailChimp open rate stats to re-send the disclosure to anyone who didn’t open the first one, and we will keep doing so until we help as many people upgrade as possible. We are working hard to keep everyone safe.

        I understand your point though, and perhaps a followup blog post is warranted. We prioritized email in this case.

        Report


  2. I originally discovered this issue and disclosed it to Elegant Themes. After sufficient time has passed I will publish my full disclosure post detailing the information.

    Report


    1. Please do so soon, as their current fix very nearly cripples the theme. (Basically, they added thousands of esc_html calls) I see a huge increase in cpu use on page builder page edits. Takes my shared server a very, very long time to process a page update now. Perhaps your disclosure will help them find a better way to fix this.

      Report


      1. Hi Reid,

        Have you had the chance to open a support ticket yet? We would love to take a closer look at your specific issue and address any performance issues where possible. If you are upgrading from an older version (especially one prior to 2.6), then a lot has changed in the Divi Builder, and it’s quite possible that progression in other areas have caused the overall increase in CPU usage you are experiencing. I think the symptoms you are experiencing might be due to a change we made to ajax requests in 2.6.4 which is unrelated to this vulnerability and was actually put in place to reduce peak PHP memory usage. Either way, a closer look and additional information would help us optimize things for you. You can open a new support ticket here: https://www.elegantthemes.com/forum/

        Report


      2. Ni Nick, thanks for the reply! I will create a ticket and then provide login info for you guys to have a look at this development site.

        Yes, I had updated this site from 2.5.9 to 2.6.4.1, and on further observation much of the lag appaers to be client side. On opening a page to edit or after updating it, my computer will sit at about 50% cpu useage for up to a minute or more. It is making editing long pages with complicated layouts extremely slow. I am even getting typing lag, it will take several seconds for characters to appear after they have been entered.

        I will provide additional detail in the ticket.

        Report


      3. So, was the vulnerability that Elegant Themes forgot escaping, lol?

        Report


    2. Thank you for responsibly disclosing this vulnerability to us James. We couldn’t be more disappointed in ourselves for making this mistake, but we are glad that we were able to identify and fix the problem before any of our customers were reportedly affected, and we are doing everything we can to make it easy for our customers (active and expired) to update their software quickly. We are working hard to identify how this happened, and more importantly how we can prevent it from happening in the future.

      Report


  3. It’s not 100% clear if this includes Divi v2.2 or not?

    Report


    1. Hi Shadi,

      All versions of Divi are affected. From version 2.2, you can upgrade to 2.3.4 (legacy), which will fix the vulnerability without adding lots of new features. Versions 2.6.4 is the most recent version. 2.6.4 and above are also secure. You will see these update notifications in your WordPress dashboard, but you can also contact us directly if you need assistance.

      Report


  4. Does anyone know where to find the Security Patcher plugin?

    Report


    1. It’s a free plugin that you can download by logging into your Elegant Themes account.

      Report


      1. When I click on the link in your email to get the free download it goes to the login page. My account is expired but I still know my login info, and it seems to log me in, but there’s no download there or way for me to get the plugin. It just wants me to renew my subscription. Please provide a link to the actual plugin file, if possible. Thanks.

        Report


      2. Hi Dan,

        If your account has expired then you can reply to the email directly and we will send you free updated versions of all themes, plugins and the security patcher.

        Report


  5. Kudos to ElegantThemes, now if they could work on their support forum, the search feature is abysmal and by the time someone replies I’ve already given up and switched to a different theme.

    Report


  6. I’m a Lifetime Access member at Elegant Themes but I never received the email. Luckily, I saw this in news articles this morning. How do I get signed up for these alerts?

    Report


    1. Hi Will,

      You might want to check to make sure your email address is up to date in your Elegant Themes account and check your email spam folder as well. We sent out emails to everyone, and we plan to continue re-sending the disclosure to those that have not opened the original email (using our MailChimp open rate stats).

      Report


      1. Well, not quite everyone.

        I have nothing in my mailbox.
        I have nothing in my spam folder.
        I have nothing in my Members Area.

        What’s up doc? :-(

        Report


      2. What’s your username Terrence?

        If the email was truly not received, then that means it either bounced (was rejected by your mail server) or your Elegant Themes email address is outdated. Either way, I can confirm via our MailChimp delivery stats if you provide me with your username and then re-send the email to the correct address if necessary.

        Report


      3. The name is Terence Nick, not Terrence.

        The login is QloudPress and the email address is correct, and always has been.

        Even given the uncertainty of email routing, this still doesn’t explain why there’s no warning in the account area.

        Report


      4. I changed my profile to a different email address to see if that helps.

        It’d be great if you guys put a note about it in the Members area, and/or on you blog. Those of us who didn’t get the email were left to do sleuthing on our own.

        Report


      5. Hi Will,

        I confirmed that the email was sent and received by your original email address, which means it was probably filtered out by your email software. The next round will be sent out to your new email address.

        Report


  7. I appreciate the thorough and responsible actions taken to get the fix out. I’ve been very impressed with Elegant Themes.

    Report


  8. I got the email alert from elegant themes. And in gmail it was in update folder.
    My membership was expired but one of the sites that had elegant theme updater plugin updated to a safe version.
    Thanks Elegant themes for responding to the issue in a professional way.

    Report


  9. All sites now updated – thanks to Nick Roach and his team over at ET.

    And of course thanks to Sarah…. always ahead of the game.

    Report


  10. I am beginning to think I made a big mistake in buying the Divi theme for my current project ~ I don’t get security warnings about important vulnerabilities discovered, my answers to requests for help are responded to by @Nick Roach (Founder & Lead Developer), and my support ticket has remained unanswered for nearly a week . So much for their Satisfaction Ratings and Our Pledge To Better Understand Each & Every Customer ~ it obviously doesn’t extend as far as me.

    Report


    1. Sorry to hear that Terence. I checked the ticket you linked to, and it appears that our team responded to you daily and eventually helped you perform the customization you were requesting. I checked your most recent tickets as well, and they have all been responded to and resolved. If you need anything else, we are here to help.

      Report


      1. Thanks Nick.

        Yes, I was very grateful when they did that since I had only asked for their advice on why it was not working. I just assumed they were just embarrassed about how long it had taken to get a response.

        A month ago I asked why ~ No styling for input[type=number] fields ~ and was told “Our Dev team will fix it as soon as it possible”. Since then I heard nothing.

        Plus I also asked about ~ Blog body font size ~ and was given the correct answer by “Jack D” the same day.

        So it’s not all bad news. But all that still doesn’t change the fact that I did NOT receive a critical security update notification by email, and I was NOT informed in my client dashboard.

        The first I knew about it was when I read it here on WP Tavern {thank you WP Tavern!!!!}

        Report

Comments are closed.