WordPress Brizy Plugin <= 2.6.21 is vulnerable to Cross Site Scripting (XSS)

Ganjar Villanueva

• June 01, 2025 08:02

Dear Brizy Support Team,

I received a security alert from my hosting provider stating that the Brizy WordPress Plugin (version ≤ 2.6.21) is vulnerable to Cross-Site Scripting (XSS).

Could you please confirm if this issue has been addressed in a newer version? If not, I kindly urge your team to investigate and release a patch as soon as possible.

Thank you for your attention and continued support.

Regards,

GV

 

0

• 

  Ariel H.

  • June 02, 2025 12:32

  Hi GV,

  Thank you for reaching out.

  We are aware of the security report related to a potential Cross-Site Scripting (XSS) vulnerability, we want to ensure you that this issue has already been addressed in our latest version.

  The fix ensures that only trusted users (like site administrators) can input advanced content types, such as custom code, while standard user roles (like Authors or Contributors) are restricted, just as WordPress recommends. This helps protect your site from potential misuse.

  To stay fully protected, we recommend updating Brizy to the latest version available in your dashboard.

  Best regards,
  Ariel H.

  0
• 

  Ganjar Villanueva

  • June 03, 2025 01:35

  Hi Ariel,

  Thanks for the clarification. However, my WordPress dashboard still shows version 2.6.21 as the latest, and my hosting provider continues to flag this version as vulnerable due to the known XSS issue.

  

  Could you confirm:

  • If the patched version has been submitted to the WordPress Plugin Directory?

  • Or, if the fix is applied silently in version 2.6.21, so I can notify my host accordingly?

  Appreciate your clarification so we can ensure proper security compliance.

  Regards,

  GV

  0
• 

  Ariel H.

  • June 25, 2025 13:08

  Hi GV,

  My apologies for the delay.

  The fix has already been applied. However, getting it officially whitelisted by security tools like Patchstack requires a separate membership and goes through an external review process, which can take some time.

  You can let your hosting provider know that the vulnerability has been addressed in the current version, even though it may still appear flagged until the review is completed.

  Please let me know if you need anything else.

  Best regards,
  Ariel H.

  0
• 

  Thanasis Giamas

  • July 23, 2025 10:12

  

  Hi Ariel,

  Several (more than 5) months ago I have reported the exact same issue. Ever since and even though I am updating both Brizy and Brizy pro to their latest version, I keep getting the same alert notification.

  Given that I am serving a dozen of corporate websites built on Brizy should I be concerned ?

  Kind regards,

  Thanasis

  0
• 

  Ariel H.

  • July 23, 2025 11:27

  Hi Thanasis,

  Thank you for getting back to us, and I understand your concern—especially when managing multiple corporate websites.

  All vulnerabilities previously reported by Patchstack have already been addressed and included in the latest versions of Brizy and Brizy Pro. We've also recently coordinated with Patchstack regarding this, but it may take some time before they review the patched versions and update their database.

  In the meantime, rest assured that your sites are running on secure versions.

  Kind regards,
  Ariel H.

  0
• 

  Thanasis Giamas

  • July 23, 2025 11:36

  Thank you Ariel for your swift and thorough response, I appreciate it!

  As far as I am concerned I am covered.

  Kind regards,

  Thanasis

  0

Please sign in to leave a comment.