But what was the original vulnerability?
The actions taken (i.e. release a new version of the affected application) only make sense if the original vulnerability in the web server has been identified and patched.
Otherwise, what's to stop this new version from getting infected in the same way?
You shouldn't use *any* software from this developer until the question is answered: what was the actual vulnerability, and how was it fixed?