CVE-2020-35945
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level permissions or higher to upload arbitrary files, including malicious PHP files, due to insufficient server-side file extension validation. It affects websites using Divi Builder plugin, Divi theme, or Divi Extra theme before version 4.5.3. Attackers can execute arbitrary code on vulnerable WordPress installations.
💻 Affected Systems
- Divi Builder plugin
- Divi theme
- Divi Extra theme
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, ransomware deployment, or website defacement through remote code execution.
Likely Case
Attacker uploads web shell to gain persistent access, install malware, or pivot to other systems on the network.
If Mitigated
Limited impact if proper file upload restrictions and web application firewalls are in place.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial once attacker has contributor credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.3
Vendor Advisory: https://www.elegantthemes.com/blog/divi-resources/divi-security-update-4-5-3
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Updates. 3. Update Divi theme/plugin to version 4.5.3 or later. 4. Verify update completed successfully.
🔧 Temporary Workarounds
Restrict file uploads via .htaccess
allBlock PHP file uploads at web server level
<FilesMatch "\.(php|php5|php7|phtml|phar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
Remove contributor upload capability
allRevoke file upload permissions from contributor role
add_filter('map_meta_cap', 'remove_contributor_upload', 10, 4);
function remove_contributor_upload($caps, $cap, $user_id, $args) {
if ($cap === 'upload_files') {
$user = get_userdata($user_id);
if ($user && in_array('contributor', $user->roles)) {
$caps[] = 'do_not_allow';
}
}
return $caps;
}
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block malicious file uploads
- Regularly audit user accounts and remove unnecessary contributor-level access
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel for Divi theme/plugin version. If version is below 4.5.3, system is vulnerable.Check Version:
wp theme list --field=name,version | grep -i divi OR Check Appearance > Themes in WordPress adminVerify Fix Applied:
Confirm Divi theme/plugin version is 4.5.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to wp-content/uploads/ directory
- PHP file uploads by contributor-level users
- Multiple failed upload attempts with different extensions
Network Indicators:
- POST requests to upload.php endpoints with PHP files
- Unusual traffic patterns from contributor accounts
SIEM Query:
source="web_logs" (uri_path="*/wp-admin/*" OR uri_path="*/wp-content/*") (file_extension="php" OR file_extension="phtml") http_method="POST"🔗 References
- https://wpscan.com/vulnerability/10342
- https://www.wordfence.com/blog/2020/08/critical-vulnerability-exposes-over-700000-sites-using-divi-extra-and-divi-builder/
- https://wpscan.com/vulnerability/10342
- https://www.wordfence.com/blog/2020/08/critical-vulnerability-exposes-over-700000-sites-using-divi-extra-and-divi-builder/
