Elegant Themes notified users that updated versions of some of their products were available that patched security issues. The affected themes and plugins are the Divi and Extra themes, as well as their Divi Builder plugin. They are recommending that users update as soon as possible to ensure their site stays secure.
Nick Roach from Elegant Themes stated the issue this way:
These products contained a bug that made it possible for logged in WordPress users, regardless of their user role, to retrieve post content, including processed shortcodes, from posts that were last edited using the classic Divi Builder.
This issue extends to all websites that use Divi, Extra, and the Divi Builder with this specific criteria:
- Use Divi, Extra or the Divi Builder.
- Allow user registration or have plugins installed that allows for user registration.
- Have pages built using the classic Divi Builder or have plugins installed that allow underprivileged users to publish posts.
How to protect yourself
Updating your theme and Divi Builder plugin will patch this issue. If you are currently licenced you should be able to run these updates from your WordPress dashboard. You can also download the latest versions from your Elegant Themes account. The updated versions are:
- Divi Theme: 3.7.1
- Extra Theme: 2.7
- Divi Builder: 2.7
If you are unable to update right away for whatever reason, there is a security patch plugin available here: Elegant Themes Security Patcher
What if your license is expired?
Elegant Themes is extending the update to all users even if accounts are expired. If you are expired, you should be able to update from the WordPress Dashboard.
Cinch Customers have already been patched
If you are a Cinch maintenance customer your site has already been patched and updated. Not sure how to update your theme? Let us do it! Sign up for our Essential Support right now or start a chat, we’re happy to help ;)
Thanks to Elegant Themes for their transparency in this issue.