Title: Public Security Patch
Last modified: May 4, 2026

---

# Public Security Patch

 *  [webmasteral](https://wordpress.org/support/users/webmasteral/)
 * (@webmasteral)
 * [1 week, 1 day ago](https://wordpress.org/support/topic/public-security-patch/)
 * A client of mine really enjoys this plugin but the security issues must be addressed.
   I am posting the patches I made to this plugin to address the two major security
   issues. The Broken Access Control and CSRF issue.
 * ==============================================
   WORDPRESS PLUGIN SECURITY FIXESMega
   Addons For WPBakery Page Builder Version 4.3.0 -> 4.3.1
 * ==============================================
 * FILE 1: main.php
 * Line 87-99 – SECURITY FIX: Added nonce verification AND capability check
 * BEFORE:
 *     ```wp-block-code
       function vc_saving_data() {if (isset($_REQUEST)) {    // Sanitizing $_REQUEST before saving    $vc_save_data = array_map( 'sanitize_text_field', $_REQUEST );    update_option( 'vc_save_data', $vc_save_data );}}
       ```
   
 *  AFTER:
 *     ```wp-block-code
       function vc_saving_data() {check_ajax_referer( 'vc_mega_addons_nonce', 'nonce' );if ( ! current_user_can( 'manage_options' ) ) {    wp_die( __( 'Unauthorized', 'mega-addons' ) );}if (isset($_REQUEST)) {    $vc_save_data = array_map( 'sanitize_text_field', $_REQUEST );    update_option( 'vc_save_data', $vc_save_data );}}
       ```
   
 * CHANGES MADE:
    - Line 88: Added check_ajax_referer( ‘vc_mega_addons_nonce’, ‘nonce’ );
    - Lines 90-92: Added capability check for manage_options
 * Line 117 – VERSION UPDATE
   BEFORE:
 *     ```wp-block-code
       <p>Version 4.3.0</p>
       ```
   
 * AFTER:
 *     ```wp-block-code
       <p>Version 4.3.1</p>
       ```
   
 * ==============================================
 * FILE 2: includes/settings.php
 * Line 13-15 – SECURITY FIX: Added nonce field
 * BEFORE:
 *     ```wp-block-code
       <form id="addonsdata">    <table class="form-table">
       ```
   
 * 
   AFTER:
 *     ```wp-block-code
       <form id="addonsdata">    <?php wp_nonce_field( 'vc_mega_addons_save', 'vc_mega_addons_nonce' ); ?>    <table class="form-table">
       ```
   
 * CHANGES MADE:
 *     ```wp-block-code
       - Line 14: Added <?php wp_nonce_field( 'vc_mega_addons_save', 'vc_mega_addons_nonce' ); ?>
       ```
   
 * ==============================================
 * FILE 3: lib/admin.js
 * Line 7 – SECURITY FIX: Added nonce to AJAX call
 * BEFORE:
 *     ```wp-block-code
       data = data + '&action=vc_save_data';
       ```
   
 * AFTER:
 *     ```wp-block-code
       data = data + '&action=vc_save_data&nonce=' + jQuery('#vc_mega_addons_nonce').val();
       ```
   
 * CHANGES MADE:
    - Line 7: Added nonce parameter to AJAX data
 * ==============================================
 * FILE 4: index.php
 * Line 8 – VERSION UPDATE
 * BEFORE:
 *     ```wp-block-code
       Version: 4.3.0
       ```
   
 * AFTER:
 *     ```wp-block-code
       Version: 4.3.1
       ```
   
 * ==============================================
 * SECURITY ISSUES FIXED:
    1. CSRF (Cross-Site Request Forgery)
 *  - The AJAX action vc_save_data had no nonce verification
    - Attackers could trick authenticated admins to submit forms 
      FIX: Added check_ajax_referer()
      and wp_nonce_field()
 *  2. Broken Access Control (Subscriber+ Settings Update)
 *  - No capability check – any logged-in user could update settings
    - Should require ‘manage_options’ capability (admin only)
      FIX: Added current_user_can(‘
      manage_options’ ) check
 * ==============================================
 * SUMMARY OF CHANGES:
 * main.php – 3 changes (nonce check, capability check, version)
   includes/settings.
   php – 1 change (nonce field)lib/admin.js – 1 change (nonce in ajax)index.php –
   1 change (version)
 * Total files modified: 4
   Total changes: 6
 * I hope this helps others. User Note: I have not independently verified that this
   closed or fixes the two currently known security issues with this plugin. This
   is my best personal attempt at solving them in the short term until an official
   patch is released. Please use this information and patch details at your own 
   risk.
    -  This topic was modified 1 week, 1 day ago by [webmasteral](https://wordpress.org/support/users/webmasteral/).

You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fpublic-security-patch%2F%3Foutput_format%3Dmd&locale=en_US)
to reply to this topic.

 * ![](https://ps.w.org/mega-addons-for-visual-composer/assets/icon-128x128.jpg?
   rev=2205499)
 * [Mega Addons For WPBakery Page Builder](https://wordpress.org/plugins/mega-addons-for-visual-composer/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/mega-addons-for-visual-composer/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/mega-addons-for-visual-composer/)
 * [Active Topics](https://wordpress.org/support/plugin/mega-addons-for-visual-composer/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/mega-addons-for-visual-composer/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/mega-addons-for-visual-composer/reviews/)

## Tags

 * [update](https://wordpress.org/support/topic-tag/update/)

 * 0 replies
 * 1 participant
 * Last reply from: [webmasteral](https://wordpress.org/support/users/webmasteral/)
 * Last activity: [1 week, 1 day ago](https://wordpress.org/support/topic/public-security-patch/)
 * Status: not resolved