CVE-2023-34021
📋 TL;DR
Unauthenticated reflected cross-site scripting (XSS) vulnerability in the Church Admin WordPress plugin allows attackers to inject malicious scripts via crafted URLs. When users click malicious links, attackers can steal session cookies, redirect users, or perform actions on their behalf. This affects WordPress sites running Church Admin plugin version 3.7.29 or earlier.
💻 Affected Systems
- WordPress Church Admin plugin
📦 What is this software?
Church Admin by Church Admin Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full control of WordPress site, install backdoors, deface website, or steal sensitive member data.
Likely Case
Attackers steal user session cookies to hijack accounts, redirect users to malicious sites, or display phishing content to steal credentials.
If Mitigated
With proper web application firewalls and content security policies, malicious scripts are blocked, limiting impact to failed exploitation attempts.
🎯 Exploit Status
Reflected XSS vulnerabilities are trivial to exploit with basic web knowledge. Attackers only need to craft malicious URLs and trick users into clicking them.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.7.30 or later
Vendor Advisory: https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-3-7-29-reflected-cross-site-scripting-xss-vulnerability
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Church Admin plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy WAF rules to block XSS payloads in URL parameters
Content Security Policy (CSP)
allImplement CSP headers to restrict script execution sources
Header set Content-Security-Policy "default-src 'self'; script-src 'self'" in .htaccess or web server config
🧯 If You Can't Patch
- Disable Church Admin plugin immediately until patched
- Implement strict input validation and output encoding for all user inputs
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Church Admin > Version number. If version is 3.7.29 or lower, you are vulnerable.Check Version:
wp plugin list --name=church-admin --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify Church Admin plugin version shows 3.7.30 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual long URLs with script tags in parameters
- Multiple 404 errors with suspicious parameters
- Referrer headers containing JavaScript code
Network Indicators:
- HTTP requests with <script> tags in query parameters
- URLs containing javascript: protocol or encoded script payloads
SIEM Query:
source="web_logs" AND (uri="*<script*" OR uri="*javascript:*" OR uri="*%3Cscript%3E*")🔗 References
- https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-3-7-29-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-3-7-29-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
