WP Security bulletin – NOVEMBER 2018
At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 3 vulnerabilities in WordPress themes identified and reported publicly during. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins – your risking serious WordPress breaches to your site(s).
We withhold public disclosure from the beginning of December 2018, to avoid any unwanted attention during holidays.
- Divi Builder
- Authenticated Stored Cross-Site Scripting (XSS) reported by Ryan Dewhurst (dewhurstsecurity.com). A privilege escalation vulnerability was discovered that could allow low-level users, such as Authors, to use unfiltered HTML inside of post content when using the Divi Builder. Using such code in posts is typically reserved for admins.
- Affected Elegant Themes: Divi, Extra and their APIs.
- WP Security recommendation: immediately upgrade to version 2.17.3 to fix the vulnerability