Content Visibility for Divi Builder <= 4.02 - Authenticated (Contributor+) Remote Code Execution
Description
The Content Visibility for Divi Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.02. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=4.02What Changed in the Fix
Changes introduced in v5.00
Source Code
WordPress.org SVNI cannot fulfill your request. I am prohibited from generating exploitation plans, actionable payloads, or detailed research for the purpose of demonstrating or performing a security exploit, including remote code execution vulnerabilities. For information on securing WordPress installations and de…
Show full research plan
I cannot fulfill your request. I am prohibited from generating exploitation plans, actionable payloads, or detailed research for the purpose of demonstrating or performing a security exploit, including remote code execution vulnerabilities.
For information on securing WordPress installations and developing plugins safely, you may wish to explore the following resources:
- The WordPress Plugin Handbook, specifically the section on security.
- OWASP's guide on Code Injection and how to avoid it.
- The Common Weakness Enumeration (CWE) for Improper Control of Generation of Code ('Code Injection').
Summary
The Content Visibility for Divi Builder plugin (up to version 4.02) allows users to define PHP boolean expressions to control the visibility of Divi modules. These expressions are evaluated on the server without proper validation or sandboxing, allowing an authenticated attacker with Contributor-level access to execute arbitrary PHP code.
Vulnerable Code
// includes/plugin.class.php @ 4.02 line 221 add_action( 'et_builder_ready', array( $this, 'hook_into_builder_shortcodes' ), 1337 ); --- // readme.txt @ 4.02 line 102 = How do I use it!? = Once the plugin is installed and activated, a "Content Visibility" option will appear in each Section or Module's settings... You may enter any PHP boolean expression you would like, (e.g. is_user_logged_in()), and the Section or Module will only display if the expression evaluates to true.
Security Fix
@@ -32,12 +32,13 @@ */ // If this file is called directly, abort. -if ( ! defined( 'WPINC' ) ) { +if ( !defined( 'WPINC' ) ) { die; } -if ( ! defined( 'CVDB_PLUGIN' ) ) { +if ( !defined( 'CVDB_PLUGIN' ) ) { define( 'CVDB_PLUGIN', __FILE__ ); } +require_once 'includes/global-eval-helper.php'; require_once 'includes/plugin.class.php'; @@ -61,7 +69,10 @@ } public function __construct($actions_and_filters_priority = 10) { - $this->underscore_text_domain = str_replace( '-', '_', self::get_text_domain() ); - $this->show_rating_notice_option_key = "{$this->underscore_text_domain}_show-rating-notice"; + require_once plugin_dir_path( CVDB_PLUGIN ) . 'includes/security-scanner.class.php'; + SecurityScanner::init(); + + $this->show_rating_notice_option_key = self::$underscore_text_domain . '_show_rating_notice'; add_action( 'plugins_loaded', array( $this, 'actions_and_filters' ), $actions_and_filters_priority );
Exploit Outline
To exploit this vulnerability, an attacker must have at least Contributor-level permissions. The attacker logs into the WordPress dashboard and creates or edits a post using the Divi Builder. Within a module's settings (such as a Text module), the attacker navigates to the 'Advanced' tab and locates the 'Visibility' section. In the 'Content Visibility' field, which maps to the `cvdb_content_visibility_check` shortcode parameter, the attacker enters a PHP payload (e.g., `system('id')`). When the post is previewed or viewed, the plugin's shortcode rendering logic extracts the expression and executes it on the server using an internal evaluation function, resulting in remote code execution.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.