Critical Vulnerabilities Found in Divi Builder by Elegant Themes


Vulnerable Plugins & Themes:

Divi Builder Plugin
Divi Theme
Extra Theme

Vulnerability Disclosed: 02-01-2020

Patch Release Date: 03-01-2020

Patched Version:

Divi Builder Plugin – 4.0.10
Divi Theme – 4.0.10
Extra Theme – 4.0.10

The most famous WordPress page builder is Elegant Themes’ Divi Builder. It helps users to design beautiful pages without learning how to code. Divi Creator is used on over 600,000 websites. The Divi or the Extra Theme are also driven by several of these websites.

In the Divi Creator Plugin, Divi Framework, and Extra Theme, important bugs have been identified. This weakness can be abused and the website may possibly be affected. To repair the flaw, you must take urgent action. We will tell you what you need to defend your website in this post.

What is the Divi Vulnerability & its Impact?

During a routine security audit, the Elegant Themes team uncovered a form of vulnerability called the code injection vulnerability. It helps users to perform such PHP functions in positions such as contributors, writers and editors.

Untrustworthy users can abuse the vulnerability. You need to take prompt measures if the weakness concerns you.

Are You Affected by the Divi Vulnerability?

Websites running the following versions are affected by the vulnerability –

  • Divi Builder version 2.23 and above 
  • Divi version 3.23 and above 
  • Extra 2.23 and above

But how do you know what version you are running?

  • To learn what version of the Divi Builder plugin you are using, log into your WordPress dashboard, go to Plugins > Installed Plugins > Divi Builder. You will find a small description of the plugin along with the plugin version.
  • As for the themes, go to Appearance > Themes > Divi & Extra and then click on Details. You’ll find the version of the theme.

How to Fix Websites Affected by the Divi Vulnerability?

The problem can be corrected by upgrading the plugin and the themes.

Following the detection of the flaw, in the form of an update, the Elegant Themes team released a fix.

You need to log into the WordPress dashboard to upgrade the plugin and themes and select Updates from the menu.

You will see all the themes and plugins you need to upgrade in the Apps section.

  • Choose the plugin for Divi Creator and press Upgrade Plugin.
  • Pick Theme Division and Extra, and then select and Upgrade Theme

It will upgrade the plugin and themes to version 4.0.10, which includes a protection patch.

What About Expired Divi Accounts?

If your access to Beautiful Themes has expired, don’t panic, the app will still be updated. To access the update, you don’t need to renew your subscription. Through your WordPress dashboard, you can download the app.
Is the website hacked?

In order to carry out their misdeeds, hackers are constantly searching for bugs that they can manipulate. It’s better to search your website if you have the slightest impression that your website is compromised (recommended read-signs of a hacked site), If your site turns out to be compromised, so you can clean it immediately. Here’s how you can check the website and scrub it.

Phase 1: The WordPress Protection Plugin named MalCare is installed and triggered. Then, link your website to the dashboard of MalCare and your website will start auto-scanning automatically. If ransomware is detected, then you will be alerted.

Phase 2: Click on MalCare’s Auto-Clean button to delete viruses from your website and the plugin will clean your website instantly.


You can fix the flaw even though you trust all your customers and believe like your website is not in harm’s way right now.

They will abuse the flaw to execute malicious commands if a hacker gets access to one of these user accounts. The consequences that follow are serious and costly to repair. Therefore, automatically upgrade your Divi Creator plugin, Divi & Extra theme.

We hope you appreciate how critical it is at all times to keep your website updated. Vulnerabilities can be generated over time by the themes and plugins that you use. They issue an update with a protection fix as developers find the flaw.

Many that do not refresh their website routinely remain insecure. We suggest you read our in-depth WordPress update guide.

There are several more risks, apart from those vulnerabilities, that your WordPress website could face, among others, including brute force attacks on your login page. You need to use a protection plugin like MalCare to protect your website against all sorts of attacks. Every day it reviews the website, cleans it automatically if it is compromised and defends it from hackers and bots.