A high-severity vulnerability has been identified in the "Advanced Views" plugin for WordPress, which could allow an attacker to execute malicious code on the server. Successful exploitation could lead to a complete compromise of the affected website, potentially resulting in data theft, website defacement, or further attacks on the internal network. Organizations using this plugin are strongly advised to take immediate action to mitigate this critical risk.

The vulnerability is a Server-Side Template Injection (SSTI). The plugin improperly sanitizes user-supplied input before it is processed by the server-side template engine. An authenticated attacker, potentially with low-level privileges such as a contributor, can inject malicious template directives into fields processed by the plugin. When the server renders the page, it executes this malicious code, which can lead to Remote Code Execution (RCE), allowing the attacker to run arbitrary commands on the underlying server with the permissions of the web server process.

This vulnerability is classified as High severity with a CVSS score of 8.8, posing a significant risk to the business. A successful attack could result in the complete compromise of the web server, leading to the exfiltration of sensitive data, such as customer information, user credentials, and proprietary business data. Further consequences include reputational damage from website defacement, loss of customer trust, and potential use of the compromised server as a launch point for attacks against other systems within the organization's network.

Immediate Action:

• Immediately update the "Advanced Views – Display Posts, Custom Fields, and More" plugin to the latest patched version (greater than version 3).
• If the plugin is not critical to business operations, consider deactivating and uninstalling it to eliminate the attack surface entirely.
• Review WordPress user roles and permissions to ensure users only have the minimum level of access required for their function.

Proactive Monitoring:

• Monitor web server access logs (e.g., Apache, Nginx) for unusual POST requests to pages utilizing the vulnerable plugin's functionality.
• Look for suspicious patterns in request data that include common template syntax (e.g., {{...}}, {%...%}, ${...}).
• Monitor for unexpected outbound network connections or new processes being spawned by the web server process (e.g., www-data, apache).

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block SSTI attack patterns.
• Implement stricter file integrity monitoring on the web server to detect unauthorized changes to core WordPress files, themes, or plugins.
• Harden the web server environment by disabling unnecessary functions and enforcing strict file permissions to limit the impact of a potential code execution event.

Public Exploit Available: true

Given the high CVSS score of 8.8 and the public availability of exploit code, this vulnerability presents a critical and immediate threat. We strongly recommend that all organizations using the affected WordPress plugin apply the security update provided by the vendor without delay. Although this CVE is not currently listed on the CISA KEV catalog, its severity and the ubiquity of WordPress make it a high-priority candidate for patching. A failure to act promptly could result in a significant security breach.