Hello,
We have identified a group of emails we recently sent in which the list of affected themes was missing or incorrect. We apologise for any confusion this may have caused. We have worked to correct this information and have included the corrected list of affected themes below.
- - - CORRECTED EMAIL - - -
We are getting in touch to let you know about multiple XSS security vulnerabilities in the Visual Composer WordPress plugin versions prior to 4.7.4 (releases prior to October 2, 2015). This plugin was included in items you've purchased (listed below).
We have been working with WP Bakery, the creators of Visual Composer, who have addressed all identified vulnerabilities and undertaken a code audit to ensure that it is as secure as possible. Theme authors whose items include Visual Composer have been instructed to make sure their items accommodate this upgrade. Items that include older versions of Visual Composer will be disabled from the market until this change is made.
Affected Items
Your items that include Visual Composer:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
What You Should Do
In order to secure your item from these vulnerabilities we strongly encourage you to update to version 4.7.4 or later as soon as possible. We recommend you take the following steps to secure your sites immediately, after first backing up your WordPress site.
Visual Composer Plugin Update Steps
Log in to codecanyon.net and proceed to download the latest version of Visual Composer to your computer from this URL:
Visual Composer: Page Builder for WordPress - WordPress | CodeCanyon
Locate and unzip the downloaded plugin file.
Connect to your server using an FTP client and upload the js_composer directory (from the downloaded zip file) to the wp-content/plugins/ directory. (Note: This will overwrite the old Visual Composer files with the secure versions.)
Log into WordPress and navigate to the Plugins page to confirm the Visual Composer plugin is version 4.7.4
The link to the latest version, provided above, will be live for 3 weeks from the time this email was sent. After this period, you will need to access the latest version via your theme zip file.
Please note: This replaces the existing plugin under the licensing of the theme(s) you've purchased and is only licensed for use in these themes.
Your Security is Our Priority
We take security seriously at Envato. When we receive security vulnerability reports for items sold on our marketplaces, we work as quickly as possible to validate the report, investigate risk and determine the best course of action for the security of our community.
On behalf of the plugin creator and Envato, we'd like to apologize for this inconvenience and assure you that security is and always will be our priority.
Regards,
The Envato Team
