ElegantThemes (divi, extra, divi-builder < 4.0.10) - Authenticated Code Injection



Description
"A code injection vulnerability was discovered by our team during a routine code audit that could allow logged in contributors, authors and editors to execute a small set of PHP functions."

Affected:
Divi version 3.23 and above,
Extra 2.23 and above
Divi Builder version 2.23 and above.

Product versions 4.0.10 include the security patch.

Affects Plugin

fixed in version 4.0.10

Affects Themes

fixed in version 4.0.10
fixed in version 4.0.10

References

URL https://us7.campaign-archive.com/?u=9ae7aa91c578052b052b864d6&id=e3532c8cb1
URL https://www.elegantthemes.com/api/changelog/divi-builder.txt
URL https://www.elegantthemes.com/api/changelog/divi.txt
URL https://www.elegantthemes.com/api/changelog/extra.txt

Classification

Type RCE
OWASP Top 10 A1: Injection
CWE CWE-94

Miscellaneous

Views 59371
Verified No
WPVDB ID 10000

Timeline

Publicly Published 2020-01-02 (21 days ago)
Added 2020-01-03 (19 days ago)
Last Updated 2020-01-04 (18 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin