vulnerability

WordPress Plugin: church-admin: CVE-2026-0682: Server-Side Request Forgery (SSRF)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
3	(AV:N/AC:M/Au:M/C:N/I:P/A:N)	Jan 16, 2026	Jan 19, 2026	Jan 19, 2026

Severity

CVSS

(AV:N/AC:M/Au:M/C:N/I:P/A:N)

Published

Jan 16, 2026

Added

Jan 19, 2026

Modified

Jan 19, 2026

Description

The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Solution

church-admin-plugin-cve-2026-0682

References

URL-https://www.cve.org/CVERecord?id=CVE-2026-0682
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/77227fc5-7c38-476d-af4c-4b2ad3dd8420?source=api-prod
CVE-2026-0682
https://attackerkb.com/topics/CVE-2026-0682
CWE-918

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today