Home » wordpress theme

Tag: wordpress theme

Elegant Themes Divi/Divi Builder/Extra/Bloom/Monarch Security Vulnerability

This won’t be a typical full disclosure post. I will release that after sufficient time has passed to allow users to upgrade. The most I will say now is that logged in users had access to more than they should have. If your site does not have additional untrusted users this is not a major issue for you. Though everyone should upgrade immediately.

On 2/10/2016 I discovered a potential security issue with Elegant Themes Divi theme. Since I am not a customer of theirs I had some issues getting in touch with someone to disclose the information to, but after a few emails and a Twitter exchange I was able to convey the information.

In the interim, Elegant Themes had Securi do a complete code analysis to check for further issues and apparently they did not discover anything further than I already had.

On 2/17/2016 Elegant Themes released updated versions and contacted their customer list to tell them to upgrade. I haven’t seen the exact email sent.

I believe a customer of theirs tweeted out about the issue. I was going to wait to post this until Elegant Themes had a chance to do their own release.

I have not seen the updated code, but based on the description received it sounds like the issue should be resolved.

Affected Versions

  • Divi < 2.6.4
  • Diviv (legacy) < 2.3.4
  • Divi Builder < 1.2.4
  • Extra < 1.2.4
  • Bloom < 1.1.1
  • Monarch < 1.2.7

 

ThemeBlvd theme framework vulnerability

ThemeBlvd

 

The ThemeBlvd theme framework doesn’t properly authenticate if a user is able to commit specific actions.  We uncovered two specific vulnerabilities in their product and notified the vendor.  This release was made after the vendor notified us a fix was released.

The first could be used to damage a WordPress site and possibly could be used for much more.


/**
* Clear set of options. Hooked to "admin_init".
*
* @since 2.3.0
*/
function themeblvd_clear_options() {
if ( isset( $_POST['themeblvd_clear___options'] ) ) {
$option_id = $_POST['themeblvd_clear___options'];
delete_option( $option_id );
add_settings_error( $option_id , 'clear_defaults',
__( 'Options cleared from database.', 'themeblvd' ),
'themeblvd-error error fade' );
}
}

This code doesn’t authenticate the user in any way, so it allows any user to delete an arbitrary option from the wp_options table.

The second vulnerability allows a user to set any of their user_meta data to ‘true’. Which could be leveraged for additional access.

function themeblvd_disable_nag() {

global $current_user;

if ( isset( $_GET[‘tb_nag_ignore’] ) ) {
add_user_meta( $current_user->ID, $_GET[‘tb_nag_ignore’], ‘true’, true );
}
}

I notified the author Jason Bobich on 11/2/2014. The first issue was fixed around 11/26/2014 and the second around 12/9/2014.

Themes Affected

Plugins Affected