Brizy Pro 2.6.1 (and up to 2.6.6 according to WPEngine) & Brizy Plugin (<= 2.6.14) vulnerable to Cross Site Scripting (XSS)

Dennis Murphy

• April 05, 2025 03:27
• Edited

Just migrated to WPEngine, and they are flagging the latest Brizy Pro Plugin 2.6.6 as a Security Risk:

Security risk: xss. Data from an attacker could be interpreted as code by site visitors’ web browsers. The ability to run code in another site visitors’ browser can be abused to steal information, or modify site configuration.

Severity: medium

Fixed in: no fix yet

A quick Google and this appears to be the case since v2.6.1:

https://patchstack.com/database/wordpress/plugin/brizy-pro/vulnerability/wordpress-brizy-pro-plugin-2-6-1-reflected-cross-site-scripting-xss-vulnerability

Just wondering if this is being worked on to be rectified?

0

• 

  KC George

  • February 17, 2025 12:57

  Hello Dennis,

  The above vulnerability was discovered with Brizy Pro 2.6.1 and it was fixed in the subsequent versions. (Since Patchstack researcher Rafie Muhammad has not made note of our fix, information regarding the version in which it was fixed is not available on their website)

  0
• 

  Dennis Murphy

  • February 18, 2025 05:14

  Thanks K C George. Do you know how to get this removed from Patchstack then (I will be able to contact WPEngine to report as rectified through Support once done)?

  0
• 

  KC George

  • February 18, 2025 06:17

  Hello Dennis,

  As the plugin developer, we must sign up with the mVDP platform and upload the patched version. Patchstack will then validate the fix and marks it as fixed. The patched version number will thereafter be available in their vulnerability database. We do not currently have a plan to upload the patched version to Patchstack.

  0
• 

  Dennis Murphy

  • April 05, 2025 03:26
  • Edited

  Hi, the Brizy plugin is now getting flagged via ManageWP (owned by GoDaddy) & WPEngine as being vulnerable via Patchstack at version 2.6.14.

  https://patchstack.com/database/vulnerability/brizy/wordpress-brizy-plugin-2-6-14-cross-site-scripting-xss-vulnerability?_a_id=473

  Should I open a new ticket on this, or is this related to the same Brizy Pro Plugin issue?
  
  Can we get someone to lodge this please as being rectified?

  0
• 

  KC George

  • April 07, 2025 06:10

  Hello Dennis,

  We appreciate you alerting us to this issue. We have forwarded it to our developers for review.

  It's interesting to note that PatchStack released this vulnerability 3 days ago when it was discovered on September 21, 2024, six months ago. When this vulnerability was found six months ago, Brizy 2.6.14 was not yet released. We have emailed PatchStack to request further information, and we will take steps to fix this vulnerability.

  

  0

Please sign in to leave a comment.