CVE-2024-37440 – This CVE describes a missing authorization vuln... (How to Fix)

📋 TL;DR

This CVE describes a missing authorization vulnerability in the Church Admin WordPress plugin that allows attackers to bypass access controls and perform unauthorized actions. It affects all versions up to and including 4.4.4. WordPress sites using vulnerable versions of this plugin are at risk.

💻 Affected Systems

Products:

WordPress Church Admin Plugin

Versions: n/a through 4.4.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the Church Admin plugin installed and activated.

📦 What is this software?

Church Admin by Church Admin Project

View all CVEs affecting Church Admin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify church administration data, access sensitive member information, or disrupt church operations by exploiting the broken access control.

🟠

Likely Case

Unauthorized users could access administrative functions they shouldn't have permission to use, potentially viewing or modifying church data.

🟢

If Mitigated

With proper network segmentation and least privilege access, impact would be limited to the specific WordPress instance.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some level of access to the WordPress site, but the vulnerability makes authorization checks insufficient.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 4.4.4

Vendor Advisory: https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-4-4-4-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Church Admin plugin
4. Click 'Update Now' if update is available
5. If no update appears, manually download latest version from WordPress repository
6. Deactivate old version, upload new version, activate

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the vulnerable plugin until patched

wp plugin deactivate church-admin

Access Restriction via .htaccess

linux

Restrict access to plugin directories

Order Deny,Allow
Deny from all

🧯 If You Can't Patch

Implement strict network segmentation to isolate the WordPress instance
Apply principle of least privilege to all user accounts and monitor for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins → Church Admin version

Check Version:

wp plugin get church-admin --field=version

Verify Fix Applied:

Verify Church Admin plugin version is greater than 4.4.4

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to Church Admin functions
Unexpected user role changes or privilege escalations

Network Indicators:

Unusual API calls to Church Admin endpoints from unauthorized IPs

SIEM Query:

source="wordpress.log" AND "church-admin" AND ("unauthorized" OR "permission denied")

📊 Metadata

CVE ID: CVE-2024-37440

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

Published: November 1, 2024

Last Updated: January 21, 2026

🔗 References

https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-4-4-4-broken-access-control-vulnerability?_s_id=cve Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37440, you might also want to check these: