Skip to main content

Church Admin CVE-2024-37418

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-07-09 audit@patchstack.com
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
CVSS changed
Apr 29, 2026 - 10:22 NVD
9.9 (CRITICAL)
Patch released
Apr 01, 2026 - 16:23 nvd
Patch available
CVE Published
Jul 09, 2024 - 11:15 nvd
N/A

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in andy_moyle Church Admin church-admin.This issue affects Church Admin: from n/a through <= 4.4.6.

AnalysisAI

Remote code execution in the Church Admin WordPress plugin (versions up to and including 4.4.6) allows authenticated low-privilege users to upload files of dangerous types, leading to full compromise of the underlying WordPress site. The CVSS 9.9 score reflects scope change and complete confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS scores exploitation probability at 1.58% (82nd percentile).

Technical ContextAI

Church Admin is a WordPress plugin developed by andy_moyle for managing church-related operations such as member directories, events, and donations, deployed as a PHP application within the WordPress ecosystem (CPE: cpe:2.3:a:church_admin_project:church_admin). The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), where the plugin's file upload handler fails to validate file extensions, MIME types, or content against an allowlist. This permits uploading executable PHP files into a web-accessible directory, where the WordPress/Apache stack will execute them upon HTTP request, enabling arbitrary code execution under the web server context.

RemediationAI

Patch available per vendor advisory - upgrade the Church Admin plugin to a version later than 4.4.6 via the WordPress plugin dashboard or by retrieving the latest release from wordpress.org/plugins/church-admin/ and consulting the Patchstack advisory for confirmed fix version details. If immediate patching is not feasible, compensating controls include restricting the WordPress user role capabilities to remove upload permissions from low-privilege accounts, deploying a Web Application Firewall rule to inspect and block POST requests containing PHP file extensions or PHP code signatures targeting Church Admin endpoints, and configuring the web server (e.g., Apache or nginx) to deny PHP execution within the plugin's upload directories - though this last control may break legitimate plugin functionality and should be tested.

Share

CVE-2024-37418 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy