Visual Composer Vulnerability – Authenticated Contributor+ Stored Cross-Site Scripting – CVE-2023-6880 | WordPress Plugin Vulnerability Report

Plugin Name: Visual Composer Website Builder, Landing Page Builder, Custom Theme Builder, Maintenance Mode & Coming Soon Pages

Key Information:

  • Software Type: Plugin
  • Software Slug: visualcomposer
  • Software Status: Active
  • Software Author: visualcomposer
  • Software Downloads: 2,579,334
  • Active Installs: 60,000
  • Last Updated: March 1, 2024
  • Patched Versions: <= 45.6.0
  • Affected Versions: 45.7.0

Vulnerability Details:

  • Name: Visual Composer Premium <= 45.6.0
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2023-6880
  • CVSS Score: 6.4
  • Publicly Published: February 29, 2024
  • Researcher: Francesco Carlucci
  • Description: The Visual Composer plugin, a comprehensive tool for building and customizing WordPress sites, has been identified with a Stored Cross-Site Scripting vulnerability in its custom fields functionality. In versions up to and including 45.6.0, the plugin fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with at least contributor-level permissions to inject harmful scripts. These scripts can be executed by any user visiting the affected page, posing a significant risk to site integrity and user security.


The Visual Composer plugin for WordPress contains a vulnerability in versions up to 45.6.0, enabling authenticated users with contributor-level access or higher to perform Stored Cross-Site Scripting attacks through the plugin's custom fields. This vulnerability has been addressed in the patched version, reinforcing the plugin's security against such exploitations.

Detailed Overview:

Discovered by Francesco Carlucci, this vulnerability underscores the critical importance of rigorous input sanitization and output escaping in web development, particularly within plugins that allow for extensive customization and content creation. The potential for attackers to inject and execute arbitrary scripts compromises not only the security of the website but also the privacy and safety of its users. The release of the patch in version 45.6.0 is a proactive measure taken by the Visual Composer development team to mitigate this vulnerability and protect websites from potential XSS attacks facilitated by this oversight.

Advice for Users:

  • Immediate Action: Users of the Visual Composer plugin are urged to update to version 45.6.0 or later immediately to safeguard their websites from this vulnerability.
  • Check for Signs of Vulnerability: Site administrators should monitor their websites for any unusual or unauthorized content changes, which may indicate exploitation of this vulnerability.
  • Alternate Plugins: While the patched version addresses this specific issue, users may consider exploring alternative page builder plugins that consistently demonstrate strong security practices as an additional precaution.
  • Stay Updated: Regularly updating all WordPress plugins and themes is essential in maintaining site security. Enabling automatic updates where possible can ensure timely application of security patches, reducing the risk of vulnerabilities.


The swift identification and remediation of the Stored Cross-Site Scripting vulnerability in the Visual Composer plugin highlight the ongoing challenges in maintaining web security. This incident serves as a potent reminder to all WordPress users of the paramount importance of keeping software up-to-date. By adhering to this fundamental security practice, website owners can significantly enhance their defenses, ensuring a secure and reliable online presence for themselves and their users.


In today's interconnected world, the security of digital platforms is paramount, with vulnerabilities posing significant risks to the integrity and trustworthiness of websites. The recent identification of a vulnerability within the Visual Composer WordPress plugin, known as CVE-2023-6880, underscores the critical importance of vigilance in web security. This vulnerability, rooted in the plugin's handling of custom fields, reveals how even widely-used tools like Visual Composer can become potential gateways for cyber threats.

Visual Composer: A Cornerstone for Website Creation

Visual Composer stands out as a comprehensive tool for building and customizing WordPress sites, boasting over 2.5 million downloads and 60,000 active installations. Its extensive functionality, from landing page construction to theme customization, makes it an invaluable asset for website administrators and developers alike. Authored by visualcomposer and regularly updated, the plugin's widespread adoption highlights its integral role in the WordPress ecosystem.

Unpacking CVE-2023-6880

CVE-2023-6880 exposes a Stored Cross-Site Scripting (XSS) vulnerability within Visual Composer's custom fields feature, affecting versions up to 45.6.0. Discovered by Francesco Carlucci, this flaw arises from inadequate input sanitization and output escaping, allowing authenticated contributors to inject malicious scripts. These scripts, once executed by unsuspecting users, can compromise both site functionality and user security, underscoring the vulnerability's potential impact.

Risks and Implications

The vulnerability poses significant risks, from data breaches to unauthorized access, threatening not only website integrity but also user trust—a crucial commodity for any online presence, especially for small businesses. The potential for harm extends beyond the digital realm, impacting reputational standing and potentially incurring legal liabilities.

Remediation and Proactive Measures

In response to CVE-2023-6880, the Visual Composer team promptly issued a patch in version 45.6.0, addressing the vulnerability. Users are urged to update their plugins immediately to safeguard against exploitation. Additionally, website administrators should remain vigilant, monitoring for unusual site behavior and unauthorized content changes, which may indicate a security breach.

Historical Context and Ongoing Vigilance

This is not the first challenge faced by Visual Composer, with three previous vulnerabilities reported since May 18, 2020. This history serves as a reminder of the ever-present nature of digital threats and the importance of regular updates and security audits.

The Importance of Diligence in Digital Security

For small business owners managing WordPress websites, the discovery and resolution of CVE-2023-6880 highlight the indispensable need for continuous attention to digital security. In a landscape where cyber threats are constantly evolving, the commitment to maintaining updated and secure software is not merely a technical task but a fundamental aspect of sustaining a secure and reliable online presence. Regular updates, vigilant security practices, and an awareness of potential vulnerabilities are essential in protecting digital assets, ensuring the safety of both website owners and their users in the digital marketplace.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Visual Composer Vulnerability – Authenticated Contributor+ Stored Cross-Site Scripting – CVE-2023-6880 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment