WordPress Plugin Vulnerabilities
Church Admin < 5.0.29 - Authenticated (Administrator+) Blind Server-Side Request Forgery via 'audio_url' Parameter
Description
The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Affects Plugins
References
Classification
Type
SSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Phap Nguyen Anh
Verified
No
WPVDB ID
Timeline
Publicly Published
2026-01-16 (about 5 months ago)
Added
2026-01-16 (about 5 months ago)
Last Updated
2026-01-17 (about 5 months ago)