WP Engine Security: Plugin Vulnerability Notification

Martin Boogerd

• March 05, 2020 20:15
• Edited

At WP Engine we take the security of your sites very seriously, and make every effort to keep our customers aware of any potential security risks. We are reaching out to you today because we identified your site(s), is (are) utilizing a vulnerable version of the Brizy plugin.

 

At this time, the plugin is currently closed for new downloads or updates in the WP.org repo. To secure your site, WP Engine will be automatically disabling the Brizy plugin on your WordPress installation.

 

WP Engine summary of the vulnerability: This vulnerability could enable non-logged in users to make settings updates on your WordPress site.

 

Plugin Authors' summary of the vulnerability and patch (changelog): Please note that questions related to this documentation should be directed to the plugin Author and not WP Engine: https://wordpress.org/plugins/brizy/#developers

 

Original 3rd-party's report on the vulnerability: Please note that questions related to this article should be directed to the 3rd-party researcher and not WP Engine: https://wpvulndb.com/vulnerabilities/10112

1

• 

  robyn mcinnes

  • March 05, 2020 20:48

  I have gotten the same warning email from WP Engine as well. Is there plans for a Fix/update in the near future?

  1
• 

  Martin Boogerd

  • March 05, 2020 20:53
  • Edited

  I am sure but it's been removed from the WP repository for a while now.  Problem is, WPengine is going to unpublished it and the website will be gone.    

  You face this risk with any builder you use, but still it's an issue.  I reached out to WPengine to see if they can halt our disabling since we have a dedicated solution with them.  No word yet.

  
  We only used it to skin out a cpl of quick websites due to time constraints.

   

   

  0
• 

  robyn mcinnes

  • March 06, 2020 14:24

  WP engine deactivated the Brizy plugin automatically on our site yesterday breaking the layout.  I reached out WP Engine this morning and their technical support told me this after sharing this post  "We haven't received any further updates beyond that. And since it has been removed from the WP repo, signs point to the vulnerability persisting for the foreseeable future"
  
  Will Brizy be able to work on a patch soon  as this is a  critical issue.   

   

  Thank you

  1
• 

  Martin Boogerd

  • March 06, 2020 15:25

  Just reactivate the plugin and update it now.

  0
• 

  robyn mcinnes

  • March 06, 2020 15:28

  I don't see a new update yet today. What version should the security patch be in?

  

  Thanks

  0
• 

  Martin Boogerd

  • March 06, 2020 15:32
  • Edited

  .114 is the one that came out so it look like you are good to do. It's also live on the WP repo again.

  0
• 

  robyn mcinnes

  • March 06, 2020 15:37

  Ok thank you. I have confirmed it with WP Engine and their response was: If they provided a patch and you have updated, then you should be all set. Our vulnerability scanners are mostly automated, so if all is patched, it won't get deactivated.

  0
• 

  Martin Boogerd

  • March 06, 2020 15:49

  Very welcome Robyn.

  0
• 

  Alex

  • March 07, 2020 09:42

  why I love the community - because people help each other until you get to the question in the queue :).

  The Brizy is back on WordPress library and now you should have no problems in this regard.  Thank you guys for your involvement.

  0

Please sign in to leave a comment.