Their is a Multiple XSS Vulnerability Update For WP Bakery Visual Composer that was released today. This is a free update from WP Bakery. I have not been able to find the details of the XSS vulnerabilities discovered and patched but I have one client with an older version of the Visual Composer that has been hacked a few times. I suspected this was the culprit and now we have an update for it.
The update is a free download from Code Canyon. Performing the update is easy if you have FTP, just download, extract, and copy over the existing folder /js_composer folder in your WordPress plugins.
If you don’t have FTP access you should be able to upload the .zip file via the plugin updater in the WordPress plugin area.