Heads up for our Divi users (theme and builder plugin) as well as Extra, Bloom, and Monarch plugins. The following alert was sent out on Monday March 11th:
Today some of our products were updated to patch a security issue. This issue was patched after being privately disclosed to our team by an independent security researcher. Updating your themes and plugins to their latest versions will apply the patch, keeping your website secure.
Some cross-site request forgery checks within our core product framework could be potentially bypassed. In all cases, these checks were also hardened by user permission checks, however, user permissions checks alone are not sufficient to protect against all CSRF vectors.
It is imperative that you update these plugins/themes immediately. If you are using our 1-click web apps utility to manage your WordPress install and you have licenses installed for any of the above affected plugins, it will auto-update your plugins in the next 48 hours, though we do recommend checking manually to be sure.
If you do not have an active license, the ElegantThemes folks have generously offered to provide free updates for all those affected, regardless of license status:
We are making these updates available for free to all expired accounts. Even if your account has expired, you can still update your themes or plugins to their latest versions via your WordPress dashboard. Expired accounts will not be restricted from updating.
If you use any of these plugins, be sure to update now.