Church Admin
Monthly
Missing authorization in the Church Admin WordPress plugin (versions through 5.0.30) allows unauthenticated remote attackers to invoke plugin endpoints and perform unauthorized write operations without authentication. The root cause is incorrectly configured access control security levels (CWE-862), where certain plugin actions omit the required capability or nonce checks. No public exploit code or active exploitation has been identified at time of analysis, though the zero-barrier CVSS vector (PR:N, AC:L, AV:N) means opportunistic abuse is technically straightforward for any attacker who can reach the WordPress instance.
Server-Side Request Forgery (SSRF) vulnerability in Andy Moyle Church Admin.7.56. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site scripting (XSS) vulnerability in the church_admin plugin before 0.810 for WordPress allows remote attackers to inject arbitrary web script or HTML via the address parameter, as. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.
Missing authorization in the Church Admin WordPress plugin (versions through 5.0.30) allows unauthenticated remote attackers to invoke plugin endpoints and perform unauthorized write operations without authentication. The root cause is incorrectly configured access control security levels (CWE-862), where certain plugin actions omit the required capability or nonce checks. No public exploit code or active exploitation has been identified at time of analysis, though the zero-barrier CVSS vector (PR:N, AC:L, AV:N) means opportunistic abuse is technically straightforward for any attacker who can reach the WordPress instance.
Server-Side Request Forgery (SSRF) vulnerability in Andy Moyle Church Admin.7.56. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site scripting (XSS) vulnerability in the church_admin plugin before 0.810 for WordPress allows remote attackers to inject arbitrary web script or HTML via the address parameter, as. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.