CVE-2020-35945

Published: Jan 1, 2021Modified: Feb 4, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

An issue was discovered in the Divi Builder plugin, Divi theme, and Divi Extra theme before 4.5.3 for WordPress. Authenticated attackers, with contributor-level or above capabilities, can upload arbitrary files, including .php files. This occurs because the check for file extensions is on the client side.

Affected (3)

Products: Elegantthemes: Divi, Divi Builder, Extra

3 products

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Elegantthemes Divi	From 3.0 to 4.5.3
Elegantthemes Divi Builder	From 2.0 to 4.5.3
Elegantthemes Extra	From 2.0 to 4.5.3

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

https://wpscan.com/vulnerability/10342

Source: cve@mitre.org

Broken LinkExploitThird Party Advisory

https://www.wordfence.com/blog/2020/08/critical-vulnerability-exposes-over-700000-sites-using-divi-extra-and-divi-builder/

Source: cve@mitre.org

ExploitThird Party Advisory

https://wpscan.com/vulnerability/10342

Source: af854a3a-2127-422b-91ae-364da2661108

Broken LinkExploitThird Party Advisory

https://www.wordfence.com/blog/2020/08/critical-vulnerability-exposes-over-700000-sites-using-divi-extra-and-divi-builder/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.