A high-severity vulnerability has been identified in the Library Viewer WordPress plugin, affecting all versions prior to version 3. This flaw could allow an attacker to access and manipulate the website's database, potentially leading to a data breach, website defacement, or a full site compromise. Organizations using this plugin are strongly advised to take immediate action to mitigate this significant security risk.

The Library Viewer plugin is vulnerable to an authenticated SQL injection attack. A low-privileged attacker, such as a subscriber, can craft a malicious request to a specific function within the plugin. Due to insufficient input sanitization, this malicious input is passed directly into a database query, allowing the attacker to execute arbitrary SQL commands on the WordPress database, bypassing security restrictions.

This vulnerability is rated as High severity with a CVSS score of 7.1. Successful exploitation could lead to severe business consequences, including the theft of sensitive data such as user credentials, personal information, and customer data. An attacker could also modify or delete website content, causing reputational damage and loss of customer trust. The compromise of the website could serve as a pivot point for further attacks into the corporate network or be used to distribute malware to visitors.

Immediate Action: Immediately update the Library Viewer WordPress plugin to version 3 or newer, which contains the patch for this vulnerability. If the plugin is not critical to business operations, the recommended course of action is to deactivate and completely remove it to eliminate the associated attack surface.

Proactive Monitoring: Monitor web server access logs for unusual or malformed POST/GET requests targeting the Library Viewer plugin's endpoints. Implement database activity monitoring to detect and alert on suspicious queries, such as those containing UNION, SELECT, or other SQL syntax indicative of an injection attack.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL injection patterns. Ensure the WordPress database user account operates with the principle of least privilege and cannot perform system-level or file-system operations.

Public Exploit Available: false

Given the high severity (CVSS 7.1) of this vulnerability and the potential for significant data compromise, we strongly recommend that all organizations using the Library Viewer plugin apply the necessary updates immediately. Although this CVE is not currently listed on the CISA KEV catalog, the risk of exploitation is substantial. Prioritize patching this vulnerability within your standard remediation timelines for high-severity findings to prevent potential data breaches and protect your organization's reputation.