CVE-2024-37418 – This vulnerability allows attackers to upload a... (How to Fix)

📋 TL;DR

This vulnerability allows attackers to upload arbitrary files, including web shells, to WordPress servers running the Church Admin plugin. Attackers can achieve remote code execution and full server compromise. All WordPress sites using Church Admin versions up to 4.4.6 are affected.

💻 Affected Systems

Products:

WordPress Church Admin Plugin

Versions: n/a through 4.4.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Church Admin plugin enabled

📦 What is this software?

Church Admin by Church Admin Project

View all CVEs affecting Church Admin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover with web shell installation leading to data theft, ransomware deployment, or use as attack platform

🟠

Likely Case

Web shell upload enabling persistent backdoor access, data exfiltration, and further lateral movement

🟢

If Mitigated

File uploads blocked or sanitized, preventing malicious file execution

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user access; file upload functionality lacks proper validation

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.7 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-4-4-6-arbitrary-file-upload-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Church Admin plugin
4. Click 'Update Now' if available
5. If no update available, download version 4.4.7+ from WordPress repository
6. Deactivate old version, upload new version, activate

🔧 Temporary Workarounds

Disable Church Admin Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate church-admin

Web Application Firewall Rule

all

Block file uploads to Church Admin endpoints

Add WAF rule to block POST requests containing file uploads to /wp-content/plugins/church-admin/

🧯 If You Can't Patch

Implement strict file upload validation at web server level
Restrict plugin access to trusted users only and monitor file upload activities

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Church Admin version. If version ≤ 4.4.6, vulnerable.

Check Version:

wp plugin get church-admin --field=version

Verify Fix Applied:

Confirm Church Admin plugin version is 4.4.7 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to /wp-content/plugins/church-admin/
POST requests with file uploads to plugin endpoints
Execution of PHP files in upload directories

Network Indicators:

HTTP POST requests with file uploads to Church Admin endpoints
Unexpected outbound connections from web server

SIEM Query:

source="web_server" AND (uri_path="/wp-content/plugins/church-admin/*" AND method="POST" AND content_type="multipart/form-data")

📊 Metadata

CVE ID: CVE-2024-37418

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-434

Published: July 9, 2024

Last Updated: January 21, 2026

🔗 References

https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-4-4-6-arbitrary-file-upload-vulnerability?_s_id=cve Patch,Third Party Advisory
https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-4-4-6-arbitrary-file-upload-vulnerability?_s_id=cve Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37418, you might also want to check these: