WP-Safety

Visual Composer Website Builder Security & Risk Analysis

wordpress.org/plugins/visualcomposer

Drag and drop page builder that gives the freedom to design WordPress websites, landing pages, custom themes, maintenance mode & coming soon pages.

40K active installs v45.15.0 PHP 7.4+ WP 5.5+ Updated Aug 6, 2025
drag-and-drop-website-builderlanding-page-builderpage-builderpopup-buildertheme-builder
96
A · Safe
CVEs total9
Unpatched0
Last CVEAug 14, 2025
Plugin page Download
Safety Verdict

Is Visual Composer Website Builder Safe to Use in 2026?

Generally Safe

Score 96/100

Visual Composer Website Builder has a strong security track record. Known vulnerabilities have been patched promptly.

9 known CVEsLast CVE: Aug 14, 2025Updated 8mo ago
Risk Assessment

The static analysis for Visual Composer v45.15.0 reveals a generally positive security posture regarding its attack surface. There are no reported AJAX handlers, REST API routes, shortcodes, or cron events with unprotected entry points. The plugin also demonstrates good practices with a high percentage of SQL queries using prepared statements and a significant portion of outputs being properly escaped. Nonce and capability checks are present, and there are no bundled libraries to indicate potential outdated dependencies.

However, the taint analysis indicates a potential concern. While there are no critical or high-severity flows with unsanitized paths, the presence of two flows with unsanitized paths warrants attention. This suggests that user-supplied input might not be adequately validated before being used in certain operations, potentially leading to vulnerabilities if not handled carefully in the context of where these flows occur. The file operations and external HTTP requests, while not directly flagged as risky in the static analysis, represent areas that would require deeper manual review to ensure no insecure handling.

The vulnerability history shows a significant number of past medium-severity CVEs, primarily related to Cross-Site Scripting (XSS). While there are currently no unpatched vulnerabilities, the historical pattern of XSS issues indicates a recurring weakness that has required multiple fixes. The last vulnerability being in August 2025, while in the future, might be a placeholder or indicative of a recent historical fix that occurred around that time. The overall picture is a plugin that has improved its security hygiene significantly but has a past prone to XSS, and a minor lingering concern from the taint analysis regarding input sanitization.

Key Concerns

  • Taint flows with unsanitized paths detected
  • History of 9 medium severity CVEs
  • Common vulnerability type: XSS
Vulnerabilities
9

Visual Composer Website Builder Security Vulnerabilities

CVEs by Year

1 CVE in 2020
2020
2 CVEs in 2022
2022
3 CVEs in 2024
2024
3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
9

9 total CVEs

CVE-2025-55709medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visual Composer Website Builder <= 45.13.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Aug 14, 2025 Patched in 45.15.0 (6d)
CVE-2025-48276medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visual Composer Website Builder <= 45.11.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 19, 2025 Patched in 45.12.0 (11d)
CVE-2025-46254medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visual Composer Website Builder <= 45.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 22, 2025 Patched in 45.11.0 (9d)
CVE-2024-35653medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visual Composer Website Builder <= 45.8.0 - Authenticated (Editor+) Stored Cross-Site Scripting

Jun 3, 2024 Patched in 45.9.0 (9d)
CVE-2024-27997medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visual Composer Website Builder <= 45.6.0 - Authenticated (Editor+) Stored Cross-Site Scripting

Mar 15, 2024 Patched in 45.7.0 (6d)
CVE-2023-6880medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visual Composer Premium <= 45.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Feb 29, 2024 Patched in 45.7.0 (152d)
CVE-2022-2516medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visual Composer Website Builder <= 45.0 - Authenticated Stored Cross-Site Scripting via 'Title'

Aug 29, 2022 Patched in 45.0.1 (512d)
CVE-2022-2430medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visual Composer Website Builder <= 45.0 - Authenticated Stored Cross-Site Scripting via 'Text Block'

Aug 29, 2022 Patched in 45.0.1 (512d)
CVE-2020-36722medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visual Composer <= 26.0 - Multiple Cross-Site Scripting

May 18, 2020 Patched in 27.0 (1345d)
Code Analysis
Analyzed Mar 16, 2026

Visual Composer Website Builder Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
46 prepared
Unescaped Output
122
364 escaped
Nonce Checks
6
Capability Checks
11
File Operations
4
External Requests
17
Bundled Libraries
0

SQL Query Safety

94% prepared49 total queries

Output Escaping

75% escaped486 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
renderedFieldsList (visualcomposer\Helpers\Views.php:174)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Visual Composer Website Builder Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 27
actionvcv:bootbootstrap\app.php:13
actionvcv:bootstrap:lazyloadbootstrap\autoload.php:24
actioninitbootstrap\autoload.php:32
actionadmin_initbootstrap\autoload.php:33
actionadmin_noticesplugin-wordpress.php:124
filterwc_google_analytics_pro_do_not_trackvisualcomposer\Modules\Assets\EnqueueController.php:124
filterredirect_canonicalvisualcomposer\Modules\Editors\PageEditable\Controller.php:47
filterthe_titlevisualcomposer\Modules\Editors\Settings\TitleController.php:63
actionadmin_headvisualcomposer\Modules\Settings\Traits\SubMenu.php:119
actionadmin_enqueue_scriptsvisualcomposer\Modules\Vendors\Gutenberg\AttributeController.php:236
filterscreen_options_show_screenvisualcomposer\Modules\Vendors\Gutenberg\AttributeController.php:237
filteradmin_body_classvisualcomposer\Modules\Vendors\Gutenberg\AttributeController.php:238
filtergform_init_scripts_footervisualcomposer\Modules\Vendors\Plugins\GravityFormsController.php:41
filterrevslider_modify_slider_settingsvisualcomposer\Modules\Vendors\Plugins\RevSliderController.php:48
actionwp_enqueue_scriptsvisualcomposer\Modules\Vendors\Plugins\WooCommerceSquareController.php:50
actionwp_enqueue_scriptsvisualcomposer\Modules\Vendors\Plugins\WooCommerceSquareController.php:51
actionwp_enqueue_scriptsvisualcomposer\Modules\Vendors\Plugins\WooCommerceSquareController.php:52
actionwp_enqueue_scriptsvisualcomposer\Modules\Vendors\Plugins\WooCommerceSquareController.php:53
filterwc_gateway_square_credit_card_is_availablevisualcomposer\Modules\Vendors\Plugins\WooCommerceSquareController.php:128
actionwp_enqueue_scriptsvisualcomposer\Modules\Vendors\Plugins\WooCommerceStripeController.php:44
actionwp_enqueue_scriptsvisualcomposer\Modules\Vendors\Plugins\WooCommerceStripeController.php:45
filterwpforms_frontend_recaptcha_disablevisualcomposer\Modules\Vendors\Plugins\WpFormsController.php:44
filteruser_can_richeditvisualcomposer\Modules\Vendors\Plugins\WpmlController.php:389
filterwp_nav_menu_objectsvisualcomposer\Modules\Vendors\Themes\WeaverXtremeController.php:53
filterwp_list_pages_excludesvisualcomposer\Modules\Vendors\Themes\WeaverXtremeController.php:57
filterwp_list_pagesvisualcomposer\Modules\Vendors\Themes\WeaverXtremeController.php:58
filteradmin_footer_textvisualcomposer\Modules\Vendors\WordPressController.php:29
Maintenance & Trust

Visual Composer Website Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedAug 6, 2025
PHP min version7.4
Downloads3.0M

Community Trust

Rating92/100
Number of ratings219
Active installs40K
Alternatives

Visual Composer Website Builder Alternatives

Live Composer – Free WordPress Website Builder

Live Composer – Free WordPress Website Builder

live-composer-page-builder

C
60

Page builder for WordPress with drag and drop header/footer editing, responsive settings, and animations. Compatible with Gutenberg block editor.

10K 1 unpatched
Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages

Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages

page-builder-add

C
67

Easily create high-converting, responsive landing pages with 120+ templates using the free PluginOps Page Builder for WordPress.

10K 1 unpatched
Landingi Landing Pages

Landingi Landing Pages

landingi-landing-pages

A
100

Create landing pages without any programming skills and import them to your WordPress site using this plugin.

2K 1 CVE
ONTRApages

ONTRApages

ontrapages

A
85

ONTRApages for WordPress allows Ontraport Premium users to connect to their accounts and easily publish their landing pages on their own WordPress sit &hellip;

1K No CVEs
Webcake – Landing Page Builder

Webcake – Landing Page Builder

webcake

A
99

Webcake Page Builder for Wordpress. Use full feature from Webcake service.

300 1 CVE
Developer Profile

Visual Composer Website Builder Developer Profile

Visual Composer

2 plugins · 42K total installs

75
trust score
Avg Security Score
94/100
Avg Patch Time
258 days
View full developer profile
Detection Fingerprints

How We Detect Visual Composer Website Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about Visual Composer Website Builder