Server-Side Request Forgery in Church Admin Plugin for WordPress
CVE-2026-0682

2.2LOW

Key Information:

Vendor

WordPress

Vendor
CVE Published:
17 January 2026

What is CVE-2026-0682?

The Church Admin plugin for WordPress is susceptible to Server-Side Request Forgery (SSRF) due to inadequate validation of URLs provided by users in the 'audio_url' parameter. This vulnerability permits attackers, who possess Administrator access, to initiate unauthorized web requests from the application to arbitrary destinations. Consequently, this exploitation could lead to unauthorized queries and modifications to internal services, emphasizing the need for robust security measures within the plugin.

Affected Version(s)

Church Admin 0 <= 5.0.28

References

CVSS V3.1

Score:
2.2
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Phap Nguyen Anh
.