CVE-2026-0682
📋 TL;DR
The Church Admin WordPress plugin is vulnerable to Server-Side Request Forgery (SSRF) in all versions up to 5.0.28. This allows authenticated attackers with Administrator access to make arbitrary web requests from the vulnerable server, potentially accessing internal services. Only WordPress sites using vulnerable versions of the Church Admin plugin are affected.
💻 Affected Systems
- Church Admin WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Administrator-level attacker could access internal services, exfiltrate sensitive data, or perform internal network reconnaissance leading to further compromise.
Likely Case
Malicious administrator could probe internal network services, potentially accessing metadata services or internal APIs.
If Mitigated
With proper network segmentation and least privilege, impact is limited to the web server's network perspective.
🎯 Exploit Status
Exploitation requires Administrator-level access to WordPress
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 5.0.28
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3440847%40church-admin&new=3440847%40church-admin&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Church Admin plugin
4. Click 'Update Now' if update available
5. Alternatively, download latest version from WordPress plugin repository
🔧 Temporary Workarounds
Remove Administrator Access
allRestrict Administrator access to trusted users only
Disable Plugin
allTemporarily disable Church Admin plugin until patched
🧯 If You Can't Patch
- Implement network segmentation to restrict web server access to internal services
- Apply strict firewall rules to limit outbound connections from web server
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Church Admin version. If version is 5.0.28 or lower, system is vulnerable.Check Version:
wp plugin list --name=church-admin --field=version (if WP-CLI installed)Verify Fix Applied:
Verify Church Admin plugin version is higher than 5.0.28 in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from web server to internal IP ranges
- Multiple failed connection attempts to internal services
Network Indicators:
- HTTP requests from web server to internal services not typically accessed
- Traffic to metadata services (169.254.169.254 for AWS, etc.)
SIEM Query:
source="web_server_logs" AND (dst_ip IN internal_ranges OR dst_ip=169.254.169.254) AND user_agent="WordPress"🔗 References
- https://plugins.trac.wordpress.org/browser/church-admin/tags/5.0.27/includes/functions.php#L6297
- https://plugins.trac.wordpress.org/browser/church-admin/tags/5.0.27/includes/sermon-podcast.php#L1181
- https://plugins.trac.wordpress.org/browser/church-admin/trunk/includes/functions.php#L6297
- https://plugins.trac.wordpress.org/browser/church-admin/trunk/includes/sermon-podcast.php#L1181
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3440847%40church-admin&new=3440847%40church-admin&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/77227fc5-7c38-476d-af4c-4b2ad3dd8420?source=cve
