[emilv]

That domain name sure looks like a phishing scam.

Six days to take down the websites and start bugfixing is a lot of time for this kind of vulnerability.

[thyrsus]

It is quite possible the clients do not have access to the source code. They may further have no competence in coding nor even in obtaining competent assistance in coding.

[emilv]

They still should be able to figure out how to take down the website to avoid being exploited.