Visual Composer Security Vulnerability Fix



Hi everyone,

We are getting in touch to let you know about multiple XSS security vulnerabilities in the Visual Composer WordPress plugin versions prior to 4.7.4 (releases prior to October 2, 2015).

We have been working with WP Bakery, the author of Visual Composer who has addressed all identified vulnerabilities and undertaken a code audit to ensure that it is as secure as possible. Theme authors whose items include Visual Composer have been instructed to make sure their items accommodate this upgrade. Items that include older versions of Visual Composer will be disabled from the market until this update is made.

For Buyers

In order to secure your item from these vulnerabilities we strongly encourage you to update to version 4.7.4 or later as soon as possible.

  • If you bought Visual Composer directly via CodeCanyon, then instructions on how to update can be found on the WPBakery website.
  • If you bought a theme that contains Visual Composer, then we will email you a list of affected items. You should download the latest version of these items from your Downloads section on ThemeForest, then follow the update instructions provided by the theme author, which should include instructions on how to update included plugins, such as Visual Composer.

You can check whether you have successfully updated Visual Composer by going to the Plugins screen and scrolling down until you find the WPBakery Visual Composer entry. Please make sure that the version number says 4.7.4.

If you have used this plugin in projects for clients, please help them to secure their sites as well.

If You Can’t Update Visual Composer Through Your Theme

If an item on your list is not shown in your Downloads section, it has not yet been updated to include Visual Composer 4.7.4 and is disabled. We have temporarily made the latest version (4.7.4) available to you via a direct download for use in such cases. Note this is only available for a short time, so please update as soon as possible. Please also be aware that, your license has not changed: your original theme purchase license from ThemeForest only permits use of this plugin with the purchased theme. Instructions to update are as follows:

  1. Make a full backup of your site, including the wp-content/js_composer folder.
  2. Go to the Visual Composer page while signed in and download it to your computer.
  3. Locate and unzip the downloaded file.
  4. Connect to your server using an FTP client and upload the js_composer directory (from the downloaded zip file) to the wp-content/plugins/ directory, overwriting the old Visual Composer files with the secure version.

Note: In some cases this will break your theme. Some themes may need changes to support the latest version of Visual Composer. Other themes may be using modified versions of the Visual Composer plugin. For this reason, we recommend updating through the theme rather than the direct download.

If you’ve updated to Visual Composer 4.7.4 and your theme no longer works, then for an immediate fix, please revert your theme to the backup made prior to updating. Please then reach out to the theme author for support in updating to the secure version of Visual Composer.

Theme Authors

Themes we identify as breaking due to lack of support (in the latest version) for Visual Composer or modified versions of Visual Composer will be soft-disabled pending an update to Visual Composer 4.7.4.


We would like to thank you WP Bakery for fixing these vulnerabilities as quickly and as professionally as possible.

We’d also like to thank theme authors for updating their items at very short notice so that as many items as possible could be fixed for the security of affected users.

Your Security is Our Priority

We take security seriously at Envato. When we receive security vulnerability reports for items sold on our marketplaces, we work as quickly as possible to validate the report, investigate risk and determine the best course of action for the security of our community.

Thank you for your time and we thank you for being a part of Envato Market!

Visual Composer - Security Threat - No purchase code
Envato - prevent bundling of CC plugins
ThemeForest review queue delays.
Approval Status Shows Nothing


We have updated to latest version of VC, also selected attribute in dropdown, but still our theme is soft disabled. Please approve it.


If you’ve resubmitted your theme for review, we’ve prioritised these updates and will process them as quickly as possible.


These updates don’t seem to be properly prioritized. I just uploaded a regular theme update and it was approved in 30 mins. But I have another theme that was disabled because of the security fix and I’m still waiting. It was uploaded 7 hours ago… Please check this as soon as possible (not just my theme, but the whole priority process).


@crelegant I have checked this for you and re-enabled your theme, but the attribute still wasn’t set (screenshot: ). I’ve set this for you now.



You need to follow the instructions very carefully. It is a 2 step process:

  1. Set attribute and click Save Changes;
  2. Then resubmit the item zip file.

If you miss the Save Changes in the first step, the attribute will not be saved. Thanks!


I really hope my items would be approve as soon as possible. I was soft-disabled 9 hours ago and I was asleep. :frowning:


This is not my current situation, so please check the row priority thing like I have described just above. Thank you for all your help so far!


Hey everyone,

We’re working our way through the list of resubmitted items as quickly as we can. We’ve now worked out how to separate the items related to the VC issue from the normal updates and will give them priority.



Our theme (one in the top sellers) has now been deactivated for more than 10 hours now. Please prioritize.


This is scary…


Where is the attribute that is being referred here ?


I already updated the Visual Composer of my items but I accidentally failed to update the attribute. I forgot that they have two buttons for saving, one for file upload and the other one for ‘quick’ item details update.


Can anyone help ? I do not see any Visual composer attribute in edit item settings.


Here is the attribute:



Hi everyone,

I’d like to provide some additional clarification on this issue.

Authors are responsible for ensuring their items are updated, secure and meet quality requirements. In this instance, we provided a 3 day update grace period with notifications to everyone affected and clear instructions to avoid having items soft-disabled.

For those that did have items soft-disabled, we further notified them with instructions required for resolving the issue. At this stage of the process, while we are prioritising updates (which are different than soft-disabled resubmissions), please understand that the responsibility was on authors to have updated their items appropriately and in a timely manner. This is normal operational procedures we follow regularly.

To avoid this in the future, I would recommend that authors carefully follow the provided instructions in a timely manner. For those affected, please understand why this occurred and please have patience while we do our best to process soft-disabled resubmissions as quickly as possible.

Please also be aware that, at this time, soft-disabled resubmissions will not necessarily be prioritised above other normal item updates. The review queues are highly complex with pending reviews in many states, categories and skills being processed simultaneously and continually changing priority depending on many ever changing factors. Rest assured, we are working as quickly and efficiently as we’re able to.

Thanks for your patience and understanding everyone!


Thanks, this is really helpful. I’ve re-saved my item now, hoping they enable it asap.


How does that make sense to first activate the compatible with VC 4.7.4, then submitting?

This means that until it gets approved, buyers see the compatible confirmation, then download a theme that is not compatible and come back frustrated.

Wouldn’t the more logic procedure be to get the update approved, and then switch the compatibility mode on, when the actual downloadable files on server are compatible?

I for one totally missed that step of ticking the compatibility box, but it seems the reviewer was kind enough to check it when approving my update. So, thank you for that :smile:


Also, a theme can be “compatible” with VC 4.7.4 but not include it. So I could have tested my theme with VC and ensure it works, but not bundle VC. So having the option to set that attribute separately to theme approval is best.