Cross Site Scripting (XSS) vulnerability in Brizy v2.6.14

Thanasis Giamas

• April 06, 2025 09:54

Hello,

WPMUDEV's Defender Pro for the last couple of days brings up the following alarm:

#WordPress Brizy plugin <= 2.6.14 - Cross Site Scripting (XSS) vulnerability

-Vulnerability type: Cross Site Scripting (XSS)
-No Update Available

CVSS Score 6.5

 

BR//TG

1

• 

  Ariel H.

  • April 07, 2025 11:16

  Hi Thanasis,

  Thank you for contacting us. We have received a similar report regarding the Cross Site Scripting (XSS) vulnerability in versions 2.6.14 and earlier, and our developers are already investigating the issue.

  Best regards,
  Ariel H.

  -1
• 

  Holly Reardon

  • April 10, 2025 18:15

  Hello - do we have an update on when a patch is expected?

  0
• 

  KC George

  • April 11, 2025 09:49

  Hello Holly,

  We do not have an update on this vulnerability yet. We are still working on a fix. 

  0
• 

  S R Savoor

  • May 06, 2025 15:42

  Hello KC

  Has the issue been solved. I ask as our Cleantalk system has reported this to me today.

  Thanks.

  0
• 

  KC George

  • May 07, 2025 05:56

  Hello S R Savoor,

  Patchstack has published a few vulnerability reports about Brizy. Security plugins like WordFence, WPMUDEV's Defender Pro, provides warning about this vulnerability based on the original PatchStack report. Their latest report is https://patchstack.com/database/wordpress/plugin/brizy/vulnerability/wordpress-brizy-plugin-2-6-14-cross-site-scripting-xss-vulnerability

  Patchstack has assigned a low priority for this vulnerability. You can see different levels of Patchstack Priority at https://patchstack.com/articles/patchstack-introducing-patchstack-priority/ 

  1. High Priority vulnerabilities are expected to become actively exploited or already known to be actively exploited. From the time we discover about it, we usually fix such vulnerabilities within 24 hours.
  2. Medium Priority vulnerabilities could be exploited in more targeted attacks and are not yet publicly known to be exploited. These are often fixed in a few days to a week.
  3. Low Priority vulnerabilities are not expected to become exploited or not known to be exploited. These are fixed in one to four weeks. 

  Our developers have been informed about this low priority vulnerability.  We hope to bring out a fix soon.

  0
• 

  Epifanio Munoz Quintero

  • July 09, 2025 18:17

  Any update? Using Brizy we have been victim of cross scripting and the analysis we got says that brizy is the only one with this vulnerability as of 2.6.22 and Pro 2.6.14 

  0
• 

  KC George

  • July 10, 2025 06:12

  Hello Epifanio,

  The Cross Scripting vulnerability with Brizy was fixed in an earlier version and Brizy 2.6.22 and Brizy Pro 2.6.14 are free from it. Since we haven't sent Patchstack (the company that discovered the vulnerability) the patched Brizy version, they could not confirm the fix and change the vulnerability status in their database. Hence security tools may continue to report the vulnerability with the latest Brizy versions. Kindly disregard the warning as the fix for this vulnerability is included in the latest Brizy versions.

  0

Please sign in to leave a comment.