14 DAY TRIAL // Elegant Themes, a company that provides WordPress themes and plugins, has issued a security alert regarding two of its themes and three plugins that would allow attackers to change site content or plugin settings.
An unnamed security researcher discovered the issues and privately disclosed the problem to Elegant Themes. The company worked with the security researcher and a private Web security vendor (Sucuri) to assess and address the problems.
As soon as the company managed to fix all the reported vulnerabilities, it started sending out emails to all of its clients, first sent out on February 17, and then re-sent a few days later. You can read a copy of the letter here, courtesy of SC Magazine.
Low-tier users could alter site content, settings
The vulnerabilities affected the Divi, Divi 2.3 (legacy), and Extra themes, and in the Divi Builder, Bloom, and Monarch plugins.
According to Nick Roach of Elegant Themes, the Divi Builder plugin included an information disclosure bug that could be exploited to elevate a lower user's privileges enough to allow him to modify the content in the site's posts.
Because the Divi Builder plugin was included by default with the Divi, Divi 2.3 (legacy), and Extra themes, all sites built on those themes that had user registration open are vulnerable to attacks.
A second, similar vulnerability was found in the Bloom and Monarch plugins which allowed lower-tier users to modify the settings of those plugins.
All issues have been fixed
The company provided patches and new plugin and theme versions to fix all the discovered issues. Users are recommended to upgrade their site as soon as possible, but for users who can't upgrade, the patches will fix all issues without having to create incompatibilities when updating.
All these updates and patches will be provided free of charge even for older customers that no longer have an active membership on the site.
Elegant Themes says that the following plugin and theme versions have addressed all their issues: Divi theme 2.6.4, Divi (legacy) theme 2.3.4, Extra theme 1.2.4, Divi Builder plugin 1.2.4, Bloom plugin 1.1.1, and Monarch plugin 1.2.7.