Visual Composer WordPress — ENVATO SECURITY ALERT

[alibey]

what am i supposed to do about this message from Envato (see below)? i have a live e-commerce site. do i need to shut down my site immediately to protect my customers? i would appreciate an immediate response, as there are serious PCI compliance issues involved. thank you.

“We are getting in touch to let you know about multiple XSS security vulnerabilities in the Visual Composer WordPress plugin versions prior to 4.7.4 (releases prior to October 2, 2015). This plugin was included in items you’ve purchased (listed below).

We have been working with WP Bakery, the creators of Visual Composer, who have addressed all identified vulnerabilities and undertaken a code audit to ensure that it is as secure as possible. Theme authors whose items include Visual Composer have been instructed to make sure their items accommodate this upgrade. Items that include older versions of Visual Composer will be disabled from the market until this change is made.
Affected Items

Your items that include Visual Composer:

Atelier – Creative Multi-Purpose eCommerce Theme”

[Knaggsy]

I would be interested to see this resolved and also ask is it ok to delete the VC plugin if my pages do no use it?

[David Martin – Support]

Hi,

Yes we are aware of this and are issuing the relevant update ASAP.

If you do not use the plugin or any of it’s shortcodes, you can indeed remove it.

– David.

[Knaggsy]

This reply has been marked as private.

[Rui Guerreiro – SUPPORT]

Hi,

You can grab the latest version of Visual Composer that is inside the Themeforest files from our theme zip.
That latest version fixed their security issue.

-Rui

[Knaggsy]

Thanks Rui Great response 🙂

[Rui Guerreiro – SUPPORT]

No problem. Thanks
-Rui