VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 26 known issues Latest disclosed Jan 16, 2026

Church Admin Vulnerabilities

Review known vulnerability records for the WordPress plugin Church Admin (`church-admin`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-0682, CVE-2025-57896 and CVE-2025-39555, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
26
High or Critical
5
Patch Coverage
100%
Last Updated
Jan 17, 2026
Priority CVE Quick Links

Fast paths into Church Admin CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
26
CVE-2024-37418 High 4.4.7
CVE-2024-37418 Church Admin Remote Code Execution

Church Admin <= 4.4.6 - Authenticated (Subscriber+) Arbitrary File Upload

CVE-2024-31280 High 4.1.6
CVE-2024-31280 Church Admin Remote Code Execution

Church Admin <= 4.1.5 - Authenticated (Subscriber+) Arbitrary File Upload

CVE-2024-30244 High 4.0.28
CVE-2024-30244 Church Admin SQL Injection

Church Admin <= 4.0.27 - Authenticated (Contributor+) SQL Injection

CVE-2018-20971 High 1.2550
CVE-2018-20971 Church Admin Cross-Site Request Forgery

Church Admin < 1.2550 - Cross-Site Request Forgery

CVE-2025-26941 High 5.0.19
CVE-2025-26941 Church Admin SQL Injection

Church Admin <= 5.0.18 - Unauthenticated SQL Injection

CVE-2025-39555 Medium 5.0.24
CVE-2025-39555 Church Admin Stored Cross-Site Scripting

Church Admin <= 5.0.23 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2024-35764 Medium 4.4.5
CVE-2024-35764 Church Admin Stored Cross-Site Scripting

Church Admin <= 4.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2024-30193 Medium 4.1.18
CVE-2024-30193 Church Admin Stored Cross-Site Scripting

Church Admin <= 4.1.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via meta-text

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Church Admin so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
26 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 5 high severity findings.
Recent CVEs
CVE-2026-0682, CVE-2025-57896 and CVE-2025-39555
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Church Admin

Sorted by latest disclosure date so newly published issues surface first.

Plugin Low Patched: Yes CVE-2026-0682
CVE-2026-0682: Church Admin <= 5.0.28 - Authenticated (Administrator+) Blind Server-Side Request Forgery via 'audio_url' Parameter

The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. This makes it possible for authenticated attackers, with Administrato...

Published
Jan 16, 2026
Patched Release
5.0.29
Affected Versions
Versions up to 5.0.28
Next Step
Update to 5.0.29 or newer if supported.
Open CVE-2026-0682 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-57896
CVE-2025-57896: Church Admin <= 5.0.26 - Missing Authorization

The Church Admin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.0.26. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Published
Aug 22, 2025
Patched Release
5.0.27
Affected Versions
Versions up to 5.0.26
Next Step
Update to 5.0.27 or newer if supported.
Open CVE-2025-57896 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-39555
CVE-2025-39555: Church Admin <= 5.0.23 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Church Admin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.0.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to...

Published
Apr 16, 2025
Patched Release
5.0.24
Affected Versions
Versions up to 5.0.23
Next Step
Update to 5.0.24 or newer if supported.
Open CVE-2025-39555 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-39553
CVE-2025-39553: Church Admin <= 5.0.9 - Unauthenticated Information Disclosure

The Church Admin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.0.9. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

Published
Apr 16, 2025
Patched Release
5.0.10
Affected Versions
Versions up to 5.0.9
Next Step
Update to 5.0.10 or newer if supported.
Open CVE-2025-39553 Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-26941
CVE-2025-26941: Church Admin <= 5.0.18 - Unauthenticated SQL Injection

The Church Admin plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 5.0.18 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated a...

Published
Mar 13, 2025
Patched Release
5.0.19
Affected Versions
Versions up to 5.0.18
Next Step
Update to 5.0.19 or newer if supported.
Open CVE-2025-26941 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-53795
CVE-2024-53795: Church Admin <= 5.0.8 - Missing Authorization

The Church Admin plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on an AJAX action in versions up to, and including, 5.0.8. This makes it possible for unauthenticated attackers to send emails.

Published
Dec 02, 2024
Patched Release
5.0.9
Affected Versions
Versions up to 5.0.8
Next Step
Update to 5.0.9 or newer if supported.
Open CVE-2024-53795 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-50438
CVE-2024-50438: Church Admin < 5.0.0 - Reflected Cross-Site Scripting

The Church Admin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to 5.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if...

Published
Oct 24, 2024
Patched Release
5.0.0
Affected Versions
Versions before 5.0.0
Next Step
Update to 5.0.0 or newer if supported.
Open CVE-2024-50438 Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-37418
CVE-2024-37418: Church Admin <= 4.4.6 - Authenticated (Subscriber+) Arbitrary File Upload

The Church Admin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 4.4.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on...

Published
Jul 04, 2024
Patched Release
4.4.7
Affected Versions
Versions up to 4.4.6
Next Step
Update to 4.4.7 or newer if supported.
Open CVE-2024-37418 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-37440
CVE-2024-37440: Church Admin <= 4.4.4 - Missing Authorization

The Church Admin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete-household cas in versions up to, and including, 4.4.4. This makes it possible for authenticated attackers, with subscriber-level access and abo...

Published
Jun 28, 2024
Patched Release
4.4.5
Affected Versions
Versions up to 4.4.4
Next Step
Update to 4.4.5 or newer if supported.
Open CVE-2024-37440 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-35764
CVE-2024-35764: Church Admin <= 4.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Church Admin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contribu...

Published
Jun 17, 2024
Patched Release
4.4.5
Affected Versions
Versions up to 4.4.4
Next Step
Update to 4.4.5 or newer if supported.
Open CVE-2024-35764 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-35637
CVE-2024-35637: Church Admin <= 4.3.6 - Authenticated (Admin+) Server-Side Request Forgery

The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.3.6. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating f...

Published
May 30, 2024
Patched Release
4.4.0
Affected Versions
Versions up to 4.3.6
Next Step
Update to 4.4.0 or newer if supported.
Open CVE-2024-35637 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-34828
CVE-2024-34828: Church Admin <= 4.1.32 - Cross-Site Request Forgery

The Church Admin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.1.32. This is due to missing or incorrect nonce validation on several functions in the includes/functions.php file. This makes it possible for unauthenticated...

Published
May 09, 2024
Patched Release
4.2.0
Affected Versions
Versions up to 4.1.32
Next Step
Update to 4.2.0 or newer if supported.
Open CVE-2024-34828 Report Open CVE Reference