There are multiple XSS security vulnerabilities in the Visual Composer WordPress plugin versions prior to 4.7.4 (releases prior to October 2, 2015).
Finally WP Bakery, the creators of Visual Composer, who have addressed all identified vulnerabilities and undertaken a code audit to ensure that it is as secure as possible.Developers whose items include Visual Composer have been instructed to make sure their items accommodate this upgrade. Items that include older versions of Visual Composer will be disabled from the market until this change is made.
What You Should Do
In order to secure your item from these vulnerabilities we strongly encourage you to update to version 4.7.4 or later as soon as possible. We recommend you take the following steps to secure your sites immediately, after first backing up your WordPress site.
Visual Composer Plugin Update Steps
- Log in to codecanyon.net and proceed to download the latest version of Visual Composer to your computer from this URL:http://codecanyon.net/item/
- Locate and unzip the downloaded plugin file.
- Connect to your server using an FTP client and upload the js_composerdirectory (from the downloaded zip file) to the wp-content/plugins/directory. (Note: This will overwrite the old Visual Composer files with the secure versions.)
- Log into WordPress and navigate to the Plugins page to confirm the Visual Composer plugin is version 4.7.4
The link to the latest version, provided above, will be live for 3 weeks from the time this email was sent. After this period, you will need to access the latest version via your theme zip file.