CVE-2020-35945
CRITICAL EXPLOITEDElegantthemes Divi < 4.5.3 - Unrestricted File Upload
Title source: ruleDescription
An issue was discovered in the Divi Builder plugin, Divi theme, and Divi Extra theme before 4.5.3 for WordPress. Authenticated attackers, with contributor-level or above capabilities, can upload arbitrary files, including .php files. This occurs because the check for file extensions is on the client side.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.wordfence.com/blog/2020/08/critical-vulnerability-exposes-over-700000-sites-using-divi-extra-and-divi-builder/
Broken Link, Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/10342
Scores
CVSS v3
9.9
EPSS
0.0223
EPSS Percentile
84.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Details
VulnCheck KEV
2020-08-04
CWE
CWE-434
Status
published
Products (3)
elegantthemes/divi
3.0 - 4.5.3
elegantthemes/divi_builder
2.0 - 4.5.3
elegantthemes/extra
2.0 - 4.5.3
Published
Jan 01, 2021
Tracked Since
Feb 18, 2026