Cross-Site Request Forgery (CSRF) vulnerability leading to plugin Options Update (Enable/Disable Element) discovered by Rasi Afeef in WordPress Mega Addons For WPBakery Page Builder plugin (versions <= 4.2.7).
Deactivate and delete. No reply from the vendor.