WordPress Plugin Vulnerabilities

Church Admin < 5.0.29 - Authenticated (Administrator+) Blind Server-Side Request Forgery via 'audio_url' Parameter

Description

The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Affects Plugins

Fixed in 5.0.29

References

Classification

Type
SSRF
OWASP top 10
CWE
CVSS

Miscellaneous

Original Researcher
Phap Nguyen Anh
Verified
No

Timeline

Publicly Published
2026-01-16 (about 5 months ago)
Added
2026-01-16 (about 5 months ago)
Last Updated
2026-01-17 (about 5 months ago)

Other