ElegantThemes (Divi, Extra, divi-builder < 4.0.10) – Authenticated Code Injection

Description

"A code injection vulnerability was discovered by our team during a routine code audit that could allow logged in contributors, authors and editors to execute a small set of PHP functions."

Affected:
Divi version 3.23 and above,
Extra 2.23 and above
Divi Builder version 2.23 and above.

Product versions 4.0.10 include the security patch.

Affects Plugins

divi-builder

Fixed in 4.0.10

Affects Themes

Divi

Fixed in 4.0.10

Extra

Fixed in 4.0.10

divi

Fixed in 4.0.10

References

URL

https://us7.campaign-archive.com/?u=9ae7aa91c578052b052b864d6&id=e3532c8cb1

URL

https://www.elegantthemes.com/api/changelog/divi-builder.txt

URL

https://www.elegantthemes.com/api/changelog/divi.txt

URL

https://www.elegantthemes.com/api/changelog/extra.txt

Classification

Type

RCE

OWASP top 10

A1: Injection

CWE

CWE-94

CVSS

4.7 (medium)

Miscellaneous

Verified

WPVDB ID

fddc2746-0e65-4a58-85d1-3d4ce20a1739

Timeline

Publicly Published

2020-01-02 (about 6 years ago)

Added

2020-01-03 (about 6 years ago)

Last Updated

2020-11-26 (about 5 years ago)

Other

Published

Title

Published

2025-11-07

Title

Better Find and Replace < 1.7.8 - Authenticated (Subscriber+) Limited Code Injection

Published

2025-01-30

Title

WooCommerce Product Table Lite < 3.9.5 - Unauthenticated Arbitrary Shortcode Execution & Reflected Cross-Site Scripting

Published

2024-12-17

Title

WPLMS < 1.9.9.5 - Authenticated (Student+) Remote Code Execution

Published

2015-12-02

Title

Cool Video Gallery < 2.0 - Authenticated Command Injection

Published

2025-09-26

Title

Contact Form 7 – Dynamic Text Extension <= 5.0.3 - Unauthenticated Arbitrary Shortcode Execution