CVE-2026-0682

The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

CVSS v3 2.2 LOW

2.2^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 0.7 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/church-admin/tags/5.0.27/includes/functions.php#L6297
https://plugins.trac.wordpress.org/browser/church-admin/tags/5.0.27/includes/sermon-podcast.php#L1181
https://plugins.trac.wordpress.org/browser/church-admin/trunk/includes/functions.php#L6297
https://plugins.trac.wordpress.org/browser/church-admin/trunk/includes/sermon-podcast.php#L1181
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3440847%40church-admin&new=3440847%40church-admin&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/77227fc5-7c38-476d-af4c-4b2ad3dd8420?source=cve

Configurations

No configuration.

History

No history.

Information

Published : 2026-01-17 04:16

Updated : 2026-01-26 15:05

NVD link : CVE-2026-0682

Mitre link : CVE-2026-0682

CVE.ORG link : CVE-2026-0682

JSON object : View

Products Affected

No product.

CWE

CWE-918

Server-Side Request Forgery (SSRF)

2.2 /10