Login Sign Up

CVE-2024-34828

4.3 MEDIUM
CSRF

📋 TL;DR

This Cross-Site Request Forgery (CSRF) vulnerability in the Church Admin WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions. It affects all WordPress sites running Church Admin plugin versions up to 4.1.32. The vulnerability enables attackers to perform actions with the privileges of the logged-in user.

💻 Affected Systems

Products:
  • WordPress Church Admin plugin
Versions: n/a through 4.1.32
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: All WordPress installations using vulnerable versions of the Church Admin plugin are affected regardless of configuration.

📦 What is this software?

Church Admin by Church Admin Project

View all CVEs affecting Church Admin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could trick an administrator into changing plugin settings, modifying user permissions, or performing other administrative actions that could compromise the site's functionality or security.

🟠

Likely Case

Attackers could modify plugin configurations, change user roles, or alter church management data without the administrator's knowledge.

🟢

If Mitigated

With proper CSRF protections and user awareness, the risk is significantly reduced as legitimate user interaction is required for exploitation.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires the attacker to trick an authenticated user into clicking a malicious link or visiting a compromised page.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.33 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-4-1-32-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Church Admin plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 4.1.33+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add CSRF protection to Church Admin forms if custom modifications are possible

Use Security Plugins

all

Install WordPress security plugins that provide CSRF protection

🧯 If You Can't Patch

  • Temporarily disable the Church Admin plugin until patching is possible
  • Implement strict access controls and educate users about CSRF risks

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins → Church Admin version

Check Version:

wp plugin list --name=church-admin --field=version

Verify Fix Applied:

Verify Church Admin plugin version is 4.1.33 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unexpected administrative actions in WordPress logs
  • Multiple failed CSRF token validations

Network Indicators:

  • Requests to Church Admin endpoints without proper referrer headers
  • Suspicious cross-origin requests

SIEM Query:

source="wordpress" AND (plugin="church-admin" AND action="*admin*") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2024-34828
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-352
Published: May 14, 2024
Last Updated: January 21, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34828, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)