Visual Composer Security Vulnerability Fix



I resubmitted by item as soon as it was disabled, now it has been more than 12 hours of resubmission and item is still soft disabled. Please help !

Update: Thanks to Matt, my item is now back. Thank you for cooperation.



I have purchased a theme on Envato, which contains Visual Composer. The author has stopped responding to any support tickets or comments, and the template has been disabled on Envato.
I just found out about this issue with VC. I bought the item for a client’s website. Current version of VC is 4.5.3. What should I do next & how to update VC to v. 4.7.4?

Thanks for your help!!!


If the author has removed his item from ThemeForest (not soft disabled because of the update, but moved away from ThemeForest all together), then you’d ultimately need to get a copy of Visual Composer so you can update it on your client site.

I know this isn’t an ideal solution - but it’s one of the issues that comes with purchasing a theme bundled with premium plugins.

If your theme author has just been soft disabled because of the VC compatibility issue, then I guess you just need to wait until the updated theme is released, and then update your client site with the new theme version.

Hope it helps!


Hi ux2,

Buyers of themes that contained Visual Composer will receive emailed instructions, if you haven’t already, soon on updating to the secure version.

Edit: If you’ve bought a theme containing Visual Composer, you will now be able to download the secure updated version from the item page directly on CodeCanyon (once signed in). This will only be temporary, so please update your item soon.

Please also be aware that, unless you’ve directly purchased Visual Composer, your original theme purchase license from ThemeForest only permits use of this plugin with the purchased theme (ie. this is not providing a stand-alone license for Visual Composer).

If you need instructions for updating the plugin, you should be receiving the previously mentioned email soon, which includes those update instructions.



Top job. You guys rocks :slight_smile:


Thanks for responding!!
I may just get a different theme and start over, since it seems like the author has vanished and there is no support for the item. :confused:

Thanks again for the advice!


Strange, I had selected. But, maybe it got deselected due to some reason. Anyways, thanks guys! :slight_smile:


Hi jremick!
Thank you for replying with all the details!

I haven’t gotten an email yet. So, wait for that email first, or just go to CodeCanyon and download the secure version of VC (even though I’ve purchased the theme bundled with the plugin)?..

Sorry about all the questions. Just making sure I understand correctly…

I appreciate your time and help!!!


Is someone looking on disabled items? we updated them and some of them are for 14 hours in queue.


Hi @StephenCronin,

We have updated all of our theme with the latest VC4.7.4

Please prioritize these updates for us too…

TokoPress Team


Hi ux2,

We’ve provided theme buyers with a temporary direct download of the secure update of the plugin to expedite the update process and further mitigate security risk. The important thing to note here is that the license for the theme you’ve purchased includes the use of the Visual Composer plugin only with that theme.

If you’d like to use the Visual Composer plugin elsewhere, you will need to purchase it separately.

I hope that helps clarify a bit further for you. :smile:


Yes, our review team has prioritised reviewing items updating the Visual Composer plugin. While updates continue streaming in, we had recently processed the large majority of them and will get to your item(s) soon (if we haven’t already).



OFF : As an envato Staff, you feel this is stupid… then why not save everything if clicked the Save button below? I’ve asked this for many times, but no one cares.



what about themes that come bundled with modified versions of VC? they’d have to figure out how to ensure 4.7.4 security fixes are coded


H, jremick!

I understand about the license. Yes, I’m only going to use the VC plugin with that theme.
I just downloaded VC version 4.7.4.

Thanks! :slight_smile:


In my experience the “modified” versions of VC simply add filters/templates here and there and would be completely compatible with this security update.


hi, nope, my older the7 themes used modified VC; licensing/installing the 4.7.4 broke it completely. fixed in latest 7.2 update

Envato - prevent bundling of CC plugins

interesting! thanks!

I’d be keen to see a diff between modified version and legit version to see if same mods can be achieved with filters.


You can’t counter for bad developers who don’t know how to use filters and actions, and they just edit core files


Still waiting for review for disabled item due to VC.