Plattform
wordpress
Komponente
church-admin
Behoben in
5.0.29
CVE-2026-0682 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Church Admin plugin for WordPress. This flaw allows authenticated administrators to initiate web requests to arbitrary locations, potentially exposing internal resources or modifying data within the application. The vulnerability impacts versions from 0.0.0 through 5.0.28, and a patch is available in version 5.0.29.
The SSRF vulnerability in Church Admin allows an authenticated administrator to craft malicious requests that originate from the WordPress application. This can be exploited to query internal services that are not directly accessible from the outside world. For example, an attacker could potentially access internal APIs, databases, or other resources that are protected by firewalls or network segmentation. While the CVSS score is low, the potential for data exposure and internal reconnaissance makes this a significant concern, especially in environments with sensitive internal systems. The attacker's ability to modify information from internal services is also a concerning aspect of this vulnerability.
CVE-2026-0682 was publicly disclosed on 2026-01-17. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this writing. Given the low CVSS score and lack of public exploits, the probability of active exploitation is currently considered low, but continuous monitoring is recommended.
Exploit-Status
EPSS
0.04% (13% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-0682 is to upgrade the Church Admin plugin to version 5.0.29 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious URLs in the 'audio_url' parameter. Additionally, restrict the plugin's access to internal resources by implementing network segmentation and access control lists. Regularly review the plugin's configuration and ensure that it adheres to security best practices. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious URL and verifying that the request is blocked or handled securely.
Aktualisieren Sie auf Version 5.0.29 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-0682 is a Server-Side Request Forgery vulnerability in the Church Admin WordPress plugin, allowing authenticated administrators to make arbitrary web requests. It affects versions 0.0.0–5.0.28 and has a CVSS score of 2.2 (LOW).
You are affected if your WordPress site uses the Church Admin plugin and is running version 5.0.28 or earlier. Check your plugin version and upgrade immediately if necessary.
Upgrade the Church Admin plugin to version 5.0.29 or later. If immediate upgrade is not possible, implement a WAF rule to block suspicious outbound requests.
Currently, there is no public evidence of active exploitation of CVE-2026-0682, but it's crucial to apply the patch to mitigate potential risks.
Refer to the official WordPress security advisory and the Church Admin plugin's website for the latest information and updates regarding CVE-2026-0682.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.