CVE-2020-35945
CRITICAL EXPLOITEDDivi, Divi Builder, and Extra < 4.5.3 - Authenticated Arbitrary File Upload via Client-Side Extension Check Bypass
Title source: llmExploitation Summary
CVE-2020-35945 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
An issue was discovered in the Divi Builder plugin, Divi theme, and Divi Extra theme before 4.5.3 for WordPress. Authenticated attackers, with contributor-level or above capabilities, can upload arbitrary files, including .php files. This occurs because the check for file extensions is on the client side.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.wordfence.com/blog/2020/08/critical-vulnerability-exposes-over-700000-sites-using-divi-extra-and-divi-builder/
Broken Link, Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/10342
Scores
CVSS v3
9.9
EPSS
0.0236
EPSS Percentile
81.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Details
VulnCheck KEV
2020-08-04
CWE
CWE-434
Status
published
Products (3)
elegantthemes/divi
3.0 - 4.5.3
elegantthemes/divi_builder
2.0 - 4.5.3
elegantthemes/extra
2.0 - 4.5.3
Published
Jan 01, 2021
Tracked Since
Feb 18, 2026