Tech Topics

Divi Marketplace: Buyer At Risk

I am a lifetime Divi account holder with Elegant Themes. I like the theme and have used it on more than a few websites. I have never had a reason to question their commitment to security. Until I bought a plugin on the Divi Marketplace. That’s when the truth hit the fan.

The plugin was a pop-up modal sold by Divi Extended, which is owned by the India-based Elicus company. When I couldn’t fix an issue, I requested support. I gave the developer access to the website to fix a problem with the close button. The fix didn’t look any different to me and I replied as such in the support thread. Then I got busy. This is a screenshot  last text I received from Divi Extended:

I tried to reply but the thread was locked. I talked with Elegant Theme’s Support and finally just decided it wasn’t worth opening a new thread or asking for my money back. Instead, I left a review.

Wordfence Security Alert

On Oct 30^th, I got an alert from the Wordfence plugin (site URL redacted):

This email was sent from REDACTED: by the Wordfence plugin at Monday 30th of October 2023 at 12:25:34 PM The Wordfence administrative URL for this site is: REDACTED

Someone tried to recover the password for user with email address: REDACTED@diviextended.com User IP: 103.59.75.58 User hostname: 103.59.75.58 User location: Jaipur, India

I need to own that I hadn’t removed Divi Extended as a user on the site. BIG MISTAKE. To provide support, they were granted admin access. They used those admin privileges to change an expired (forgotten?) password so they could access the site without permission. They would have succeeded if it wasn’t for Wordfence. I immediately logged in and deleted their user account.

Good thing I did:

This email was sent from REDACTED  by the Wordfence plugin at Monday 30th of October 2023 at 12:30:55 PM The Wordfence administrative URL for this site is: REDACTED

A user with IP address 103.59.75.58 has been locked out from signing in or using the password recovery form for the following reason: Used an invalid username ‘diviextended’ to try to sign in.

The duration of the lockout is 10 days.

User IP: 103.59.75.58

User hostname: 103.59.75.58

User location: Jaipur, India

Contacting Elegant Themes Support

I immediately reported the attempted breach to Elegant Themes. After waiting more than a day to hear back, I pushed and finally got copied on an email. Divi Extended claimed the ticket was still open, their attempt to access the site without permission or knowledge was just to help. No malicious intent. The review – the only content that could have prompted the need for such “help” – had nothing to do with it.

Honest.

Here’s my first response from Mitch Slotkin who was in charge of investigating what happened:

Notice that Mitch is already leaning into the “misguided attempt to fix your issue” theory. And my issue would be what? Divi Extended says the review was not the trigger – they’re just helpers. The thread was locked (and the ticket was closed as per their own post) so what was the issue?

This tone of minimizing the intrusion was consistent throughout their communications. My responses were heated and furious – including swearing, calling BS, more than one accusation of lying, and plenty of sarcasm. Especially at the end of the “investigation.” Unprofessional for sure but given the outcome, I’m not apologizing.

Misguided vs Malicious?

Divi Extended attempted an intrusion on a site they do not own without permission or knowledge of the owner. They had to update an expired or lost password to do it. There was nothing misguided about it – it was deliberate.

But I should just take Elegant Theme’s word for it that one of their vendors breaking into someone else’s website after a less-than-positive review couldn’t possibly involve malicious intent.

SAID NO ONE EVER WHO BLOCKED AN ILLICIT LOGIN ON THEIR WEBSITE.

Elegant Themes: Culpability without Consequences

Did I mention that Divi Extended claims to be a best seller on The Divi Marketplace? And that Elegant Themes blamed everything/everyone including their own platform and support staff – except Divi Extended.

Here are the last 2 paragraphs from Mitch Slotkin’s email explaining they weren’t going to do anything about the attempted hack – BECAUSE DIVI EXTENDED WAS RESPONDING TO THE REVIEW:

(To avoid claims of cherry-picking, a screenshot of the entire email is included at the end of this post.)

Notice how Mitch notes that Divi Extended’s “high value on their reputation” would NEVER allow them to do what they just did – attempt to gain access to a website without the owner’s knowledge or permission.

I’m supposed to take his word for it that they had no malicious intent. Like payback for a negative review, that Mitch claims triggered their illicit login attempt.

The terms of Divi Marketplace specifically state they are not responsible for third-party vendors. Legally astute and perfectly understandable to protect themselves – but not their customers – from unethical third parties.

When a platform admits one of its vendors accessed a website without the owner’s knowledge or permission and does nothing, it should not be trusted. By anyone.

Complete email response here: