Security venerability patch?

Alex G

• April 24, 2025 01:45

Hi there, any chance this can be fixed?

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/brizy/brizy-2614-authenticated-contributor-stored-cross-site-scripting

 

I have about 20 brizy pro sites and i would like to keep using this plugin.

0

• 

  KC George

  • April 24, 2025 10:21

  Hello Alex

  PatchStack first published the vulnerability report that WordFence had quoted. https://patchstack.com/database/wordpress/plugin/brizy/vulnerability/wordpress-brizy-plugin-2-6-14-cross-site-scripting-xss-vulnerability is the URL of the original report.

  They have assigned "Low Priority" for this vulnerability. Kindly see the PatchStack priority definitions at https://patchstack.com/articles/patchstack-introducing-patchstack-priority/

  1. High Priority vulnerabilities are expected to become actively exploited or already known to be actively exploited. From the time we discover a high priority vulnerability, we usually fix it within 24 hours.
  2. Medium Priority vulnerabilities could be exploited in more targeted attacks and are not yet publicly known to be exploited. These are often fixed in a few days to a week.
  3. Low Priority vulnerabilities are not expected to become exploited or not known to be exploited. These are fixed in one to four weeks. 

  The issue has been escalated to our developers and we are currently working on it. We hope to release a fix within a 1-4 weeks.

  0
• 

  Alex G

  • April 25, 2025 23:42

  This does not sound low priority to me;

  "The Brizy plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.6.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."

  0

Please sign in to leave a comment.