Today we have installed a number of security updates for our hosting customers. This affects ElegantThemes products, including the popular Divi theme. ElegantThemes fixed a problem discovered by an independent security researcher.
Protection against the vulnerability provides an update to the latest versions as of 12.03.2019. If you update your designs and plugins to the latest versions, the patch will be applied and your website will be protected.
The problem affected:
- Divi
- Extra
- Bloom
- Monarch
- the Divi Builder Plugin
Some security precautions against Cross-Site-Forgery-Attacks could possibly be bypassed by the vulnerability. Although these attacks were previously blocked by user permission checks, such checks alone are not sufficient to protect against all CSRF attacks.
Cross-Site Request Forgery (CSRF) is an attack method that technically forces a Web site user to perform unwanted actions in a Web application in which they are currently authenticated. CSRF attacks target stateful requests, not data theft, because the attacker has no way of seeing the response to the fake request.
Our hosting customers consistently benefit from lifelong updates for all ElegantThemes products. We apply ongoing security updates automatically. In addition, all websites are now undergoing an additional forensic malware check (server-wide and independent of the CMS solutions installed).
Whoever becomes aware of the vulnerability through this article and does not have a valid update license for Divi & Co. can use the Security Patcher Plugin from ElegantThemes. This also closes the vulnerability.