Skip to main content

Church Admin CVE-2026-61983

| EUVDEUVD-2026-43320 MEDIUM
Missing Authorization (CWE-862)
2026-07-13 Patchstack
5.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable with no auth or complexity required (AV:N, AC:L, PR:N, UI:N); only limited unauthorized writes possible, no confidentiality or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 10:21 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in andy_moyle Church Admin church-admin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Church Admin: from n/a through <= 5.0.30.

AnalysisAI

Missing authorization in the Church Admin WordPress plugin (versions through 5.0.30) allows unauthenticated remote attackers to invoke plugin endpoints and perform unauthorized write operations without authentication. The root cause is incorrectly configured access control security levels (CWE-862), where certain plugin actions omit the required capability or nonce checks. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with Church Admin plugin active
Exploit
Send unauthenticated HTTP request to unprotected plugin endpoint
Execution
Bypass missing authorization check
Impact
Execute unauthorized write operation against plugin data

Vulnerability AssessmentAI

Exploitation The Church Admin plugin (version ≤ 5.0.30) must be installed and active on the target WordPress site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.3 (Medium) reflects a remotely exploitable, low-complexity flaw requiring no privileges and no user interaction (AV:N/AC:L/PR:N/UI:N), but with impact constrained to low-integrity writes only (I:L, C:N, A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP POST request directly to the Church Admin plugin's unprotected admin-ajax or REST endpoint, omitting or forging expected authorization parameters. Because no credential or nonce validation is enforced (PR:N, AC:L), the plugin executes the requested write action - potentially modifying member records, event data, or plugin configuration - without the attacker ever logging in. …
Remediation No vendor-released patched version has been independently confirmed from available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-61983 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy