Vulnerability Warnings - Patchstack and others.
Hello,
I'm aware others have reported and commented that Brizy is vulnerable.
Can we have some feedback as to when this issue will be fixed please?
I've a lot of sites operational with Brizy and there are now constant security warnings from Patchstack and Shield Security Plugin.
It doesnt look good to our clients, and I can't just go ahead and rebuild every website, or disable Brizy and Brizy Pro as recommended by Shield.
Not even a hint of a global email sent out to your customers?
-
Hello Christopher,
This security vulnerability has a low impact severity and is unlikely to be exploited, as stated in the report above. We are working on a patch for the vulnerability that was published by Patchstack two days ago. We hope to release a fix soon as part of a future update.
0 -
The vulnerability was recorded on the 13th December 2024, it was made *public* on the 9th of April.
I expect all your Brizy Pro users are looking for a bit more commitment than "we *hope* to release a fix soon."
Of your total client userbase, each and every admin of worth will be fanatical about security. With WordPress running at about 40% of all websites it's a primary target for those looking to breach and infect sites.
It's not a question of if the exploit can be utilised, its a question of when.
We are reliant on your development team to fix it with all due haste, it's not only our reputation on the line here, it's also yours.
Are we talking days, weeks or months for a fix?
C.
1 -
Hello Christopher,
Kindly refer to different levels of Patchstack Priority at https://patchstack.com/articles/patchstack-introducing-patchstack-priority/
- High Priority vulnerabilities are expected to become actively exploited or already known to be actively exploited. From the time we discover about it, we usually fix such vulnerabilities within 24 hours.
- Medium Priority vulnerabilities could be exploited in more targeted attacks and are not yet publicly known to be exploited. These are often fixed in a few days to a week.
- Low Priority vulnerabilities are not expected to become exploited or not known to be exploited. These are fixed in one to four weeks.
When the above vulnerability was reported on 13 December 2024, it was available as internal document within Patchstack and possibly a notification was sent to their user base. We have access to the document only after it was published on 09 April 2025. The issue has been escalated to our developers on the same day and we are currently working on it.
We are aware that this low priority vulnerability may cause some users to get falsely alarmed, which could even raise their anxiety levels. Kindly assist such users in correctly interpreting the vulnerability report in accordance with the PatchStack priority definitions.
0 -
It's July and Patchstack now lists three unpatched vulnerabilities for Brizy Pro and one for Brizy, all of which were reported April at the latest. What's the progress on these?
0 -
Hello Sam,
All vulnerabilities reported by Patchstack were fixed and the latest Brizy versions contain those patches. Patchstack may continue to show that previously reported vulnerabilities are not yet fixed because we have not submitted the patched version to them and they did not have an opportunity to verify the patch and update their database.
0
Please sign in to leave a comment.
Comments
5 comments