Get your sites updated if You are designed with DIVI! Critical Vulnerability Exposes over 700,000 Sites Using Divi, Extra, and Divi Builder

On July 23, 2020, our Threat Intelligence team discovered a vulnerability present in two themes by Elegant Themes, Divi and Extra, as well as Divi Builder, a WordPress plugin. Combined, these products are installed on an estimated 700,000 sites. This flaw gave authenticated attackers, with contributor-level or above capabilities, the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server.

We initially reached out to Elegant Themes on July 23, 2020 and, after establishing an appropriate communication channel, we provided the full disclosure details on July 28, 2020. The developers responded on June 29, 2020 to let us know a patch would be coming in the next version. Patches were released yesterday, on August 3, 2020, in version 4.5.3 for all products.

This is considered a critical security issue that could lead to remote code execution on a vulnerable site’s server. If you haven’t already updated, and you are running Divi versions 3.0 and above, Extra versions 2.0 and above, or Divi Builder versions 2.0 and above, we highly recommend updating to the patched version, 4.5.3 , immediately. Alternatively, you can use their Security Patcher Plugin until you can update safely.

Both Wordfence Premium and free users are protected against any attacks attempting to exploit this vulnerability due to the Wordfence firewall’s built-in malicious file upload protection.


Description: Authenticated Arbitrary File Upload
Affected Products: Divi Theme, Extra Theme, and Divi Builder plugin
Theme Slugs: divi, extra
Plugin slug: divi-builder
Affected Versions: (Divi): 3.0 – 4.5.2
Affected Versions: (Extra): 2.0 – 4.5.2
Affected Versions: (Divi Builder): 2.0 – 4.5.2
CVE ID: Pending.
CVSS Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version (same for all products): 4.5.3

Elegant Themes is the creator behind one of the most popular premium themes, Divi. One of the features of the Divi theme is that it comes with the Divi Page Builder that makes the site design and editing process easy and customizable. In addition to the Divi theme, Elegant Themes offers an alternative theme, Extra, that includes the Divi Builder. The standalone Divi Builder plugin is also available and can be used with any theme.

As part of the Divi Builder functionality, users that have the ability to create posts can import and export Divi page templates using the portability feature.

Unfortunately, we discovered that although this feature used a client-side file type verification check, it was missing a server-side verification check. This flaw made it possible for authenticated attackers to easily bypass the JavaScript client-side check and upload malicious PHP files to a targeted website. An attacker could easily use a malicious file uploaded via this method to completely take over a site.

Divi Builder portability feature used to import layouts

What went wrong?

Taking a closer look at the code, we can see that the portability import function was triggered with the use of the et_core_portability_import AJAX action and corresponding et_core_portability_ajax_import function, which does have nonce and capability check.

2324
add_action( 'wp_ajax_et_core_portability_import', 'et_core_portability_ajax_import' );

The core of the problematic code could be found within the import function of the builder’s portability.php file. Since the plugin had a client-side JavaScript-based file extension check for .json files, the developers might have missed adding a server-side file-type check here prior to using the file’s contents during the import, or assumed the client-side check would be sufficient protection.

73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
public function import( $file_context = 'upload' ) {
    global $shortname;
    $this->prevent_failure();
    self::$_doing_import = true;
    $timestamp              = $this->get_timestamp();
    $filesystem             = $this->set_filesystem();
    $temp_file_id           = sanitize_file_name( $timestamp );
    $temp_file              = $this->has_temp_file( $temp_file_id, 'et_core_import' );
    $include_global_presets = isset( $_POST['include_global_presets'] ) ? wp_validate_boolean( $_POST['include_global_presets'] ) : false;
    $global_presets         = '';
    if ( $temp_file ) {
        $import = json_decode( $filesystem->get_contents( $temp_file ), true );
    } else {
        if ( ! isset( $_FILES['file'] ) ) {
            return false;
        }
        if ( ! in_array( $file_context, array( 'upload', 'sideload' ) ) ) {
            $file_context = 'upload';
        }

Analyzing the code further, we see that the file is temporarily uploaded using wp_handle_upload, with test_type set to false, overriding the wp_check_filetype_and_ext function that checks a file’s type and determines if it is a safe file to upload based on a list of allowed mime types.

This meant that the wp_handle_upload function did not test the file type during the upload, essentially disabling the extensive file-type checking protection built-in to the function.

98
99
100
101
102
103
$handle_file = "wp_handle_{$file_context}";
$upload      = $handle_file( $_FILES['file'], array(
    'test_size' => false,
    'test_type' => false,
    'test_form' => false,
) );

1
do_action( 'et_core_portability_import_file', $upload['file'] );

From there, the file’s content was checked to see if it could be used for the import. If the file’s content did not appear to be usable JSON data for an import, then the process was killed and the message ‘importContextFail’ was returned.

114
115
116
117
118
119
120
121
$temp_file = $this->temp_file( $temp_file_id, 'et_core_import', $upload['file'] );
$import = json_decode( $filesystem->get_contents( $temp_file ), true );
$import = $this->validate( $import );
$import['data'] = $this->apply_query( $import['data'], 'set' );
if ( ! isset( $import['context'] ) || ( isset( $import['context'] ) && $import['context'] !== $this->instance->context ) ) {
    return array( 'message' => 'importContextFail' );
}

Toward the end of the function, there was a hook to the function ‘delete_temp_files’ that was intended to delete any JSON files used for the import once completed. However, since the import died for files without usable JSON content before getting to this function, the files remained in the uploads directory until a legitimate JSON file was imported.

145
$this->delete_temp_files( 'et_core_import' );

This flaw made it possible for authenticated users with the edit_posts capability, like contributors, editors, and authors, to upload arbitrary files. An attacker could easily upload malicious PHP files and access them from the uploads directory. This could ultimately result in remote code execution and complete compromise of a vulnerable site’s hosting account.

The wp_ajax_et_theme_builder_api_import_theme_builder AJAX action and corresponding function used to import a theme builder template was also susceptible to arbitrary file uploads due to the same issues, however, exploiting this would have required administrative privileges thus significantly reducing it’s severity.

Fortunately, Elegant Themes was very quick to respond and release a patch that not only prevented all files except .json files from being uploaded, but also ensured that files would be sufficiently deleted at any stage of the process once no longer used.

How to Update your Elegant Themes Product

As long as you have supplied your Elegant Themes Username and API key on your WordPress site, then you can take care of your updates directly in the updates area on your site. To do so, log into your site, and navigate to the “Updates” area. Select the Elegant Themes product you would like to update and just click “Update Plugin” or “Update Theme” depending on which product you are updating.

Also, please note that Elegant Themes has made this patch available to users, even if your account is expired.

WordPress updates area with Divi Builder plugin that needs updated.

If you are unable to update fully, you can install Elegant Themes Security Patcher Plugin that will temporarily patch the vulnerability until you are able to do a complete update.

Another way to stay protected

As mentioned, in our post last week, Wordfence has a feature to disable code execution in the uploads directory. Even if you’re not using one of Elegant Themes’ vulnerable products, we highly recommend enabling this setting as it will provide additional protection against vulnerabilities like this one that may erroneously allow PHP files to be uploaded into the uploads directory.

With this option enabled, attackers will not be able to execute PHP files uploaded into the uploads directory, providing an extra layer of security and assisting in thwarting attacks like this one. In the event that a zero-day vulnerability is discovered and actively exploited prior to the creation of a custom firewall rule, having this feature enabled can help keep your site protected.

The ‘Disable Code Execution for Uploads directory’ option location.

Proof of Concept Walkthrough

Due to the critical severity of this vulnerability and high user install base, we are refraining from posting a proof of concept walkthrough video for this vulnerability at this time. If you are interested to learn how this vulnerability might be exploited, please join us for Wordfence Office Hours next week on Tuesday, August 11th at 12:00 EST. This allows us to give you time to update and still provide you with the in-depth details on how this could have been exploited on unprotected sites.

Disclosure Timeline

Jul 23, 2020 – Initial discovery of vulnerability. We verify the Wordfence firewall provides protection against exploit attempts and we make our initial contact attempt with the Elegant Themes team.
July 27, 2020 – The developer confirms inbox for handling disclosure.
July 28, 2020 – We send full disclosure details.
July 28, 2020 – They respond letting us know they have begun working on a patch and anticipate releasing it on the upcoming Monday.
July 31, 2020 – They send us the details of the patch so we can verify the fix is sufficient.
August 3, 2020 – A patch is released in version 4.5.3 for all products.

Conclusion

In today’s post, we detailed a flaw in Elegant Themes’ products Divi, Extra, and Divi Builder that provided authenticated users with the ability to upload arbitrary files, including PHP files, and execute any code in those files on the server. This flaw has been fully patched in version 4.5.3 for all products. We recommend that users immediately update to the latest version available, which is version 4.5.3 at the time of this publication.

Sites using Wordfence Premium as well as those still using the free version of Wordfence are protected from attacks against this vulnerability. If you know a friend or colleague who is using one of these themes or the plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a critical security update.

Special thanks to Mitch, from Elegant Themes, for working with us to quickly get a patch out to protect Elegant Themes users.

 

Read the full post here Critical Vulnerability Exposes over 700,000 Sites Using Divi, Extra, and Divi Builder

 

If you need us to do these updates for you, you need to contact us immediately. 

How to Install a WordPress Plugin in 2020 (Step by Step)

If you can’t figure out how to install a WordPress plugin, you have come to the right place. We will give you detailed instructions on three methods you can use to install and finally activate your plugin.

Once you get the first one right, installing subsequent plugins will be a smooth process.

Plugins are essential for adding the functionality of your website without any expertise needed. You can improve your site’s SEO, increase speed, add payment methods, add contact forms, and much more.

There are over 55,000 free and paid WordPress plugins available. Although there is no limit to the number of plugins you can install, it’s important that you only install only what you need to avoid slowing down the website.

You need to also pay attention to the reliability of the plugin you choose. It should be secure and not affect the user-friendliness or responsiveness of your site.


How to Install a WordPress Plugin

If you want to install a free WordPress plugin, install the plugin by using the WordPress plugin search box. It is the easiest of the three methods.

You have to follow the WordPress plugin upload method if you want to install a paid or premium plugin, because you won’t find premium plugins in the WordPress plugin directory.

It is rare that you might have problems installing a plugin by WordPress plugin search or using the plugin upload method. Nevertheless, if it happens, you have to install your plugin using FTP.


How to Install a WordPress Plugin via WordPress Plugin Search Box

install a wordpress plugin via wordpress plugin searchbox

First, head over to your WordPress dashboard and go to Plugins >> Add New.

You will see an interface like the image above. Type the plugin name in the search box that you want to add. For our tutorial, type in keywords for a plugin you are looking  for an example, we will use Elementor .

Next, click on the “Install Now” button. WordPress will automatically download and install the plugin for you.

write plugin name in wordpress search box

You can see that the “Install Now” button has changed into an “Activate” button. The plugin won’t work on your site if you don’t activate it.

Go ahead and click on the Activate button. Now you can start using this plugin.

install and activate wordpress plugin

That’s all. You have successfully installed the Elementor page builder plugin on your website.


How to Install a WordPress Plugin by WordPress Plugin Upload Method

This procedure is usually used for installing premium plugins. As the WordPress plugin directory is limited to only free plugins, paid plugins cannot be installed using the first method, because they are not listed in the WordPress plugin directory.

For this reason, WordPress comes with an upload method.

In this section, we will show you how to install a WordPress plugin using the plugin upload system.

  1. First, download the Elementor plugin from elemntor.com. It will be a zip file (You have to download your chosen plugin from the desired source).
  2. Log in to your WordPress admin area.
  3. Go to Plugins > Add New.
  4. Next, click on the ‘Upload Plugin’ button at the top of the page.
install a wordpress plugin by upload method

This will open the plugin upload section. From here you have to choose the zip file that you have downloaded previously.

  1. Click on “Choose File”.
  2. You will be redirected to your own computer files. Choose the zip file from your computer.
choose the zip file you have downloaded earlier

After that, click the “Install Now” button.

install now

Now WordPress will automatically upload the plugin from your computer and install it for you.

When you complete this process, you will see a success message on the WordPress dashboard.

activate the uploaded plugin

After installing successfully, you need to click on “Activate Plugin”. It should now be activated on your website. Lastly, you have to configure the plugin settings.

Every plugin has a different settings configuration procedure. Therefore, we will not show you this in our tutorial.

Want to find out more ways to upload your WordPress Plugins in other method ways By visiting the full article How to install a WordPress Plugin

Phishing : Beware of Fake Email from “A Professional Photographer / illustrator” claiming Copyright Infringement

Phishing : Beware of Fake Email from “A Professional Photographer / illustrator” claiming Copyright Infringement

We recently got an email from one of our clients in regard to copyright infringement on a site by the use of illustrations. At Coffee Web Design, we only use stock photos or graphics that are royally free and we limit the places we use to get our stock images for our web designs. We take copyright infringement very seriously.

When we get an email like this, we have to do some research.

We did find this most recent article as a warning on a phishing alert that sends you to a Google doc share file and is also targeting WordPress sites at this moment.

DO NOT CLICK THE LINK

If you happen to click the link then it would be best practice to run a malware check in your browser and pc, or even phone if you tried to open it there.

Her is the information shared by INserCorp as a warning.

We have received several reports of a malicious website visitor filling out contact forms on iPlasmaCMS2 Websites from a person named “Mel” claiming your website is using their images and that you must “delete them NOW”.
Do NOT click on the link!
This is a classic phishing scheme – the malicious actor wants the unsuspecting victim who receives the email to click on the link which goes to a Google Drive hosted file that if clicked can create serious vulnerabilities in the victim’s device and/or network.

UPDATE – JUNE 29, 2020: It is confirmed that this script is also targeting Forms on WordPress websites as well. Thank you to the users who have contributed to this scam alert in our User Comments!
Ransomware Scheme Specifically Targeting iPlasmaCMS2 Website Administrators
The malicious actor is pretending to be a “Professional Photographer” or “Licensed Photographer” and going by the name “Mel” or “Melinda” with variations on the last name is using different fake email addresses and providing different fake phone numbers (generally with a ‘718’ area code).

Once the recipient clicks the link it will take them to a file download that will allow the hacker to seize control of the user’s device. The hacker will then be able to hold the user’s device hostage and demand a ransom or exploit access to the users’ system leading to further damage, compromised accounts, or injection of worms (viruses that infect the host machine and use it to launch attacks on others).

Take a look at two almost identical messages sent through two completely different Website Contact Forms powered by iPlasmaCMS2, Insercorp’s proprietary Web Content Management System:

—–Original Message—–
From: REDACTED <noreply@REDACTED>
Sent: Monday, June 15, 2020 4:05 AM
To: REDACTED <REDACTED>
Subject: REDACTED Location Contact Form

iPlasmaCMS Location Contact Form Message Generated on June 15, 2020
Name: Mel
Email Address: Melphotographer985@aol.com
Phone Number: 17185795917
Preferred Contact Method: Phone

Comments
Hello there!

This is Melinda and I am a licensed photographer.

I was discouraged, frankly speaking, when I came across my images at your website. If you use a copyrighted image without my approval, you must be aware that you could be sued by the copyrigh owner.

It’s illicitly to use stolen images and it’s so disgusting!

Take a look at this document with the links to my images you used at REDACTED and my earlier publications to obtain evidence of my copyrights.

Download it right now and check this out for yourself:

<REDACTED>

If you don’t remove the images mentioned in the document above within the next several days, I’ll write a complaint against you to your hosting provider stating that my copyrights have been infringed and I am trying to protect my intellectual property.

And if it doesn’t work, you may be pretty damn sure I am going to report and sue you! And I will not bother myself to let you know of it in advance.

The hacker is trying to scare unsuspecting victims into clicking a link (which we have removed to prevent our readers from accidentally clicking it). Now take a look at another report we received from a completely different client later in the same day:

—–Original Message—–
From: REDACTED <noreply@REDACTED>
Sent: Monday, June 15, 2020 10:45 PM
To: REDACTED <REDACTED>
Subject: General Contact Form Message from REDACTED

General Contact Form Message
Generated on June 15, 2020

First Name: Mel
Last Name: Pursley
Title: You have no any rights to use my images for REDACTED without my consent! It’s illegal! It violates my rights! You must delete them NOW!!!!!
Company: Me photographer
Email Address: Menikon972@aol.com
Phone Number: 17188033311
Preferred Contact Method: Phone

Comments
Hello,

This is Melynda and I am a professional photographer.

I was confused, frankly speaking, when I came across my images at your web-site. If you use a copyrighted image without my consent, you need to be aware that you could be sued by the copyright holder.

It’s against law to use stolen images and it’s so filthy!

Take a look at this document with the links to my images you used at REDACTED and my earlier publications to obtain evidence of my legal copyrights.

Download it right now and check this out for yourself:

<REDACTED>

If you don’t remove the images mentioned in the document above within the next few days, I’ll write a complaint against you to your hosting provider stating that my copyrights have been infringed and I am trying to protect my intellectual property.

And if it doesn’t work, you may be pretty damn sure I am going to report and sue you! And I will not bother myself to let you know of it in advance.

 

Read the full article here 

This month in top searches for retailers – People are getting out more in their yards!

This month in top searches for retailers – People are getting out more in their yards!

According to the recent analytics for the top search interests for people in the U.S., we found out more people are wanting to get out more and finding ways through searches for equipment!

What do top searches mean for retailers?

Well if you are a small retailer or a mom and pop shop, this would be of interest to you and what to sell, by what consumers are looking for.

Top 10 searches this month in retail

According to Think With Google, the following are the top ten searches within this month.

  1. Swimming poolsup by 300% in online searches. Seems everyone wants to take a dip since the weather is warming up and want to get out of the house, but within social distancing. If you are or have considered selling swimming pools, now is the time that you should see those sales go up.
  2. Golf Bag Accessories up by 200% – We see an online prediction here and what better way to ‘set up your game’ than to buy from a retailer who sells Golf Accessories!
  3. Water park and Slides! up by 200%– Did we say warmer weather is coming! Summer is almost here! Get these families ready with your retailing of yard water parks and slides!
  4. Sneeze Guards up by 200% – Well we didn’t think about the summer on this one, but we did a double thought and said sure! Allergy season is here, now! Customers are looking, so start selling!
  5. Evaporative Coolers up by 200% – See the trend here! Summer is fast approaching!
  6. Outdoor Umbrellas and Shade Accessories! up by 200% – Hot topic cause while kids play, parents need the cooling downtime, or kids will need a cool down from the pools and Water park slides above!
  7. Neck Gaiters up by 200% – If you don know what a neck gaiter is – it’s a tube-like scarf around your neck and can be pulled up as a mask. Go ask any biker!
  8. Outdoor Umbrellas and Sunshades up by 200% – To go along with the Umbrella accessories they were looking online to purchase!
  9. Party Streamers and Curtains up by 200% – We won’t ask why just turn on your locations on your smartphones!
  10. Pool Covers and Ground cloths up 200%  – You know, cause they just bought a pool and summer isn’t quite here yet!

We hope you had fun reading some of our mentions of the top 10 retail searches this month!

If you don’t have an online store yet, contact us so we can help you with setting one up. If you have one already, you can go to Think with Google and stock up on the latest monthly search trends!

 

The Coffee Team

How to upload videos to YouTube – Easy Step by Step Instructions

How to upload videos to YouTube – Easy Step by Step Instructions

Many request from people on how to use YouTube for their videos. Times are changing and more content is going visual. We have put together a step by step instruction on how to upload your videos or go live on YouTube. Click on any of the images to view larger.

First of all you have to have a Google account to use YouTube.  We suggest if you are going to use YouTube for business, you have a separate account. Its easy and sign up is free. 

Once you have a Google (it is your Gmail account) Sign in and go to YouTube.

 

Step 1. Uploading your video to YouTube

Click on the upper right hand corner or on your mobile device, look for the cam icon > Click and choose Upload Video (click on the image below to view larger)

You will be directed to YouTube Studio

 

Step 2. Uploading your video

On a computer or mobile device, Select the video file and upload. The arrow icon will show you progression.

Step 3. Now your video is uploaded to your YouTube Studio

Wait for YouTube to generate thumbnails for your video or you can upload one of your own.

Add our title for the video you uploaded

Add a description of the video. Keep in mind words and phrases for youtube searches. 

Choose the cover photo for your video or upload one of your own by clicking the + icon.

Select a Playlist you want to add this video to or create one. 

Click NEXT

 

Step 4. Select the Right Settings

You will see the draft of the video you just uploaded.

Here you can change playlist or add to more than one playlist. No changes? 

Select if this video is made for children (will be available for review for youtube kids app) default is “no”

Select if this is restricted conent for adults only or not. Default is “no”

Click NEXT

Step 5. Adding “cards” to your YouTube video?

Cards on a YouTube video are those little pop ups you see when you are watching a video. To add cards, you will view a timeline of your video. You will stop in the timeline to add a card, link to your site etc. If you have nothing to add in your video, 

Click NEXT

Step 6. Finish your video and publishing your YouTube video

You can save your video to draft to complete the publishing later if you do not want to publish right now. 

Next and final steps to publishing your video

Select visibility – Here you will list if your video will be available to the:

  • Public– this will ba available for the public to watch and will be indexed in search engines. This is the most common.
  • Unlisted – This is a private vodeo that you have uploaded and only people with a link that you send them, will be able to view the video. This is most commonly used for training videos or company training videos that they don’t really need the public to view or want in searches.
  • Private – Ony you or people you send video links to can view a private video.
Video done and don’t want to publish now? 

You can schedule the publish date of a video for the future if you don’t want to publish right away.

If you want to publish now then click the PUBLISH button. 

 

You are done! You have just uploaded a video to YouTube!

If you need help with your YouTube Channel videos, please feel free to contact us.

Pin It on Pinterest