Visual Composer XSS Security Risk

The recent multiple XSS security vulnerabilities exposed in Visual Composer, one of the most popular plugins due to the immense number of ‘designers’ who can’t sell themes otherwise on Themeforest, has just put tens of thousands (or more) at risk of having their sites compromised.

If you were one of those buyers who bought the plugin, or a theme bundled with the plugin, then now’s a good time to head over to your Themeforest/Codecanyon download page and get the latest version that fixes the current issues. You will need to be running v4.7.4 to be safe.

Now, I’m sure the guys at Visual Composer did their best to patch this as soon as possible but the cats out of the bag. I can’t imagine how many end users are out there who were sold the plugin and themes forwarded by the real buyers and how many don’t have access to get the updated version?!

Which Is Why Bundling Plugins With Themes Is Stupid

There’s no reason why a theme should ever “need” a plugin to be a theme. I’m not discussing about plugins that offer very niche features like e-commerce or auctions. I’m talking about putting a wide slider on top with three boxes underneath them. Why should a theme ever need this to be shifted into plugin territory?

If you’re a theme developer, think about it.

I understand that some users are not creatively inclined, or wouldn’t know where to begin with editing a theme file. Let alone write a custom query post to present content in a particular way. But the moment a theme passes into the territory of not offering anything unique except the fact that it hooks into a plugin to help shape its home page, and every other page, then you have failed your clients as a designer and/or developer.

The only reason Visual Composer got to where it is today is because of the huge number of ‘authors’ bundling the plugin with their theme and using it to ‘design’ the home pages of their themes.

There’s absolutely no reason that a theme author should completely give up the task of creating a page to a 3rd party plugin.

It’s just…lazy.

Subscribe to our RSS, follow us on Facebook and Twitter.

Leave a Reply