Visual Composer “XSS security vulnerabilities” explained

Posted on October 16, 2015 by in Announcements

First of all, there’s no need to panic.
We’d like to emphasize that Envato is screaming Red Alert without explaining what the issue really is..
As usual (:

Second, let’s have a look into the issue itself.
There is a security “hole” which allows users without admin permissions to get access to some admin features (namely editing pages/posts/etc.). However, this is quite complicated and time consuming task even for experienced developer/hacker, who is well accustomed with Visual Composer codebase. It cannot be exploited by amateur.
Therefore, we haven’t heard of cases exploiting this vulnerability in the real world.

Moreover, on most WordPress sites there is only an admin user(s) and registration of new users is disabled.
In this case there’s no way to exploit this security hole.
Which lead us to the fact that usage of older versions of Visual Composer on such sites is 100% safe.

This information is confirmed by Michael M. from WPBakery (Visual Composer developer).