We are getting in touch to let you know about multiple XSS security vulnerabilities in the Visual Composer WordPress plugin versions prior to 4.7.4 (releases prior to October 2, 2015).
We have been working with WP Bakery, the author of Visual Composer who has addressed all identified vulnerabilities and undertaken a code audit to ensure that it is as secure as possible. Theme authors whose items include Visual Composer have been instructed to make sure their items accommodate this upgrade. Items that include older versions of Visual Composer will be disabled from the market until this update is made.
In order to secure your item from these vulnerabilities we strongly encourage you to update to version 4.7.4 or later as soon as possible.
- If you bought Visual Composer directly via CodeCanyon, then instructions on how to update can be found on the WPBakery website.
- If you bought a theme that contains Visual Composer, then we will email you a list of affected items. You should download the latest version of these items from your Downloads section on ThemeForest, then follow the update instructions provided by the theme author, which should include instructions on how to update included plugins, such as Visual Composer.
You can check whether you have successfully updated Visual Composer by going to the Plugins screen and scrolling down until you find the WPBakery Visual Composer entry. Please make sure that the version number says 4.7.4.
If you have used this plugin in projects for clients, please help them to secure their sites as well.
If You Can’t Update Visual Composer Through Your Theme
If an item on your list is not shown in your Downloads section, it has not yet been updated to include Visual Composer 4.7.4 and is disabled. We have temporarily made the latest version (4.7.4) available to you via a direct download for use in such cases. Note this is only available for a short time, so please update as soon as possible. Please also be aware that, your license has not changed: your original theme purchase license from ThemeForest only permits use of this plugin with the purchased theme. Instructions to update are as follows:
- Make a full backup of your site, including the
- Go to the Visual Composer page while signed in and download it to your computer.
- Locate and unzip the downloaded file.
- Connect to your server using an FTP client and upload the
js_composerdirectory (from the downloaded zip file) to the wp-content/plugins/ directory, overwriting the old Visual Composer files with the secure version.
Note: In some cases this will break your theme. Some themes may need changes to support the latest version of Visual Composer. Other themes may be using modified versions of the Visual Composer plugin. For this reason, we recommend updating through the theme rather than the direct download.
If you’ve updated to Visual Composer 4.7.4 and your theme no longer works, then for an immediate fix, please revert your theme to the backup made prior to updating. Please then reach out to the theme author for support in updating to the secure version of Visual Composer.
Themes we identify as breaking due to lack of support (in the latest version) for Visual Composer or modified versions of Visual Composer will be soft-disabled pending an update to Visual Composer 4.7.4.
We would like to thank you WP Bakery for fixing these vulnerabilities as quickly and as professionally as possible.
We’d also like to thank theme authors for updating their items at very short notice so that as many items as possible could be fixed for the security of affected users.
Your Security is Our Priority
We take security seriously at Envato. When we receive security vulnerability reports for items sold on our marketplaces, we work as quickly as possible to validate the report, investigate risk and determine the best course of action for the security of our community.
Thank you for your time and we thank you for being a part of Envato Market!