Elegant Themes Divi/Divi Builder/Extra/Bloom/Monarch Security Vulnerability

This won’t be a typical full disclosure post. I will release that after sufficient time has passed to allow users to upgrade. The most I will say now is that logged in users had access to more than they should have. If your site does not have additional untrusted users this is not a major issue for you. Though everyone should upgrade immediately.

On 2/10/2016 I discovered a potential security issue with Elegant Themes Divi theme. Since I am not a customer of theirs I had some issues getting in touch with someone to disclose the information to, but after a few emails and a Twitter exchange I was able to convey the information.

In the interim, Elegant Themes had Securi do a complete code analysis to check for further issues and apparently they did not discover anything further than I already had.

On 2/17/2016 Elegant Themes released updated versions and contacted their customer list to tell them to upgrade. I haven’t seen the exact email sent.

I believe a customer of theirs tweeted out about the issue. I was going to wait to post this until Elegant Themes had a chance to do their own release.

I have not seen the updated code, but based on the description received it sounds like the issue should be resolved.

Affected Versions

  • Divi < 2.6.4
  • Diviv (legacy) < 2.3.4
  • Divi Builder < 1.2.4
  • Extra < 1.2.4
  • Bloom < 1.1.1
  • Monarch < 1.2.7


Formidable Forms < 2.0.22 Security Vulnerability

Formidable Forms is a visual form builder WordPress plugin from Strategy 11. The free version has 200,000+ active installs which makes it one of the most popular contact form plugins for WordPress.

I noticed some potential security vulnerabilities in some of the more obscure AJAX actions they make available. Most of the actions are protected by a helpful function FrmAppHelper::permission_check() which checks if a user has the WordPress permission for the action as well as a valid nonce for the action. Kudos on implementing a system that makes it easy to be secure without duplicating code all over the place!

All of the actions uncovered require at least a valid WordPress account, but any account will work. If you are using this plugin, please update immediately.

Read more

Backup Guard < 1.0.3 Logged in users can upload arbitrary files

Backup Guard is one of many WordPress plugins to designed to backup your site. The free version on wordpress.org claims to have 20,000+ active installs, there is no indication of how many installs the non-free version has. After disclosing this information the developer sent me a copy of the paid version, but I have not had time to investigate that code.

As of today, the included ChangeLog still does not have any release notes related to this version and I have not seen any announcements of any security issues.

I noticed several issues related to their handling of AJAX requests. One of them allowed a non-authenticated user to trigger a manual backup. Though by default it uses .htaccess to keep anyone from accessing the backup files directly. With the paid version it might have been possible to pass in a remote location to backup the file to, but I did not have the code available when I did my initial analysis to determine if that was possible.

The other AJAX commands required a valid WordPress account (not just admin), none of the commands did any further authorization so a normal user could do any of the actions. There are lots of actions to choose from, the most interesting to me was ‘backup_guard_importBackup’.

Read more