While looking into an issue with the Brizy WordPress plugin, which has 80,000+ installs, we ran across a concerning security situation. The most recent support topic for the plugin is titled “Is this plugin abandoned?” and reads:

4 weeks without any update, Wordfence show a critical vulnerability and has not been made compatible with the latest WordPress 6.8

There is a roadmap for updates??

That was from April 16 and hasn’t received a response.

Vulnerability Claim

There is a vague claim that there is a vulnerability from Patchstack, but there is no way to vet the claim, as they vaguely claim there is a cross-site scripting (XSS) vulnerability, but not even what type of XSS vulnerability. They gave this description:

This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site.

Then in fine print say this:

This is a general description of this vulnerability type, specific impact varies case by case. CVSS score is a way to evaluate and rank reported vulnerabilities in a standardized and repeatable way, but it is not ideal for CMSs.”

Considering Patchstack’s long track record of inaccurate information, this could involve a much more serious issue than they present it as, or it could not be a vulnerability at all.

Before we continue on with the claimed vulnerability, its worth not what we ran across while trying to get in touch with the developer.

Broken Issue Reporting

As part of the issue we were dealing with, we tried to report a minor security issue in the plugin to the developer. The FAQ on the WordPress Plugin Directory page for the plugin says to report issues through its GitHub project. The project doesn’t have a security policy, which is a bad sign for handling of security. As it was a minor security issue, it should be safe to report a public issue. The problem with doing that, we found, is that the issue reporting has been disabled for the project. For whatever reason, GitHub makes it appear as if it isn’t disabled. Here is the page the developers of Brizy link to that makes it look like reporting issues is possible:

[insert image https://github.com/ThemeFuse/Brizy/issues

Clicking the “New issue” button takes you to a page that makes it seem possible as well:

[insert image https://github.com/ThemeFuse/Brizy/issues/new

Trying to submit an issue leads to a vague message that says “Unable to create issue.” being shown. The underlying response that causes that vague message contains a clear message about what is going on, “Issues has been disabled in this repository.”

Someone Screwed Up Here

After failing to be able to report the security issue through GitHub, we then went looking for information on Brizy’s website on how to report security issues. From that, we found that there are multiple reports on their website’s support forum about the claimed vulnerability. From that we found this claim made by Brizy:

It’s interesting to note that PatchStack released this vulnerability 3 days ago when it was discovered on September 21, 2024, six months ago. When this vulnerability was found six months ago, Brizy 2.6.14 was not yet released. We have emailed PatchStack to request further information, and we will take steps to fix this vulnerability.

And this screenshot from Patchstack’s website:

There are multiple issues based on that. Someone apparently reported the vulnerability to Patchstack instead of the developer. Patchstack makes no claim they ever tried to contact the developer in over six months after it was incorrectly reported to them. They also didn’t warn people about it for six months. Even now, though, they haven’t provided information needed to vet their claim.

In another post by Brizy, it was claimed that they didn’t know about this beforehand:

When the above vulnerability was reported on 13 December 2024, it was available as internal document within Patchstack and possibly a notification was sent to their user base. We have access to the document only after it was published on 09 April 2025. The issue has been escalated to our developers on the same day and we are currently working on it.

It would be highly inappropriate for Patchstack to do what is described there and our own experience shows that Brizy isn’t handling reporting issue in general well, so it is possible that Patchstack had notified Brizy beforehand. Though, they don’t make the obvious to make statement that they did make an attempt to contact the developer.

It is now 42 days later and there apparently isn’t a fix yet. In the meantime, four updates have been released to the plugin, including one that was fairly significant.

Brizy has been citing Patchstack for not having released a fix yet:

They have assigned “Low Priority” for this vulnerability. Kindly see the PatchStack priority definitions at https://patchstack.com/articles/patchstack-introducing-patchstack-priority/

1. High Priority vulnerabilities are expected to become actively exploited or already known to be actively exploited. From the time we discover a high priority vulnerability, we usually fix it within 24 hours.
2. Medium Priority vulnerabilities could be exploited in more targeted attacks and are not yet publicly known to be exploited. These are often fixed in a few days to a week.
3. Low Priority vulnerabilities are not expected to become exploited or not known to be exploited. These are fixed in one to four weeks.

The issue has been escalated to our developers and we are currently working on it. We hope to release a fix within a 1-4 weeks.

Considering that Patchstack’s priority assessment is based on information they know isn’t reliable, it would be a bad idea to rely on that, as Brizy is claiming to do.

That received a reply from our their users that “This does not sound low priority to me.”