While looking into an issue with the Brizy WordPress plugin, which has 80,000+ installs, we ran across a concerning security situation. The most recent support topic for the plugin is titled “Is this plugin abandoned?” and reads:
4 weeks without any update, Wordfence show a critical vulnerability and has not been made compatible with the latest WordPress 6.8 [Read more]
When it comes to security issues with WordPress plugins, the team running the WordPress Plugin Directory continues to make matters worse. One area we have seen that occurring for some time (and that we have been criticized for taking action to protect our customers from) is with the closure of popular plugins with security issues. That occurred again recently with Brizy, which has 60,000+ installs. The WPScan Vulnerability Database belated warned about a vulnerability in the plugin yesterday with this timeline (we had warned any of the customers of our service that were impacted last month):
February 10th, 2020 – Report received & WP Plugins Team notified.
February 12th, 2020 – WP Plugin Team Investigating
February 12th, 2020 – v1.0.114 released in SVN, fixing the issue. However, the plugin is still closed
March 3rd, 2020 – Seeing probes checking for the issue
March 4th, 2020 – Contacted WP Plugin to have an ETA about re-opening the plugin
March 5th, 2020 – Plugin can not be re-opened yet as there are other issues (including legal ones), as well as incomplete fixes
March 5th, 2020 – Issue disclosed, we recommend to remove the plugin until a new version is available and downloadable [Read more]
The plugin Brizy was closed on February 12 without an explanation why, but isn’t hard to guess when looking at the changelog for the version released the same day, “Fixed: Builder settings page access” and the changes made in that version, which showed that code was added to restrict access to change the plugin’s setting unless someone was logged in to WordPress as an Administrator:
…