Platform
wordpress
Component
church-admin
Fixed in
5.0.29
CVE-2026-0682 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Church Admin plugin for WordPress. This flaw allows authenticated administrators to initiate web requests to arbitrary locations, potentially exposing internal resources or modifying data within the application. The vulnerability impacts versions from 0.0.0 through 5.0.28, and a patch is available in version 5.0.29.
An attacker exploiting this SSRF vulnerability could leverage the Church Admin plugin to query internal services that are not directly accessible from the outside world. This could involve retrieving sensitive configuration data, accessing internal APIs, or even triggering actions on other systems within the network. While the vulnerability requires administrator privileges, a compromised administrator account could grant an attacker significant control over the WordPress environment. The potential blast radius extends to any internal service accessible via HTTP/HTTPS from the WordPress server, posing a risk to data confidentiality and integrity.
CVE-2026-0682 has been published on 2026-01-17. Severity is currently rated as LOW. No public Proof-of-Concept (POC) code has been identified at the time of writing. The vulnerability is not currently listed on KEV or EPSS, indicating a low probability of active exploitation. Refer to the official WordPress security advisory for further details.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-0682 is to immediately upgrade the Church Admin plugin to version 5.0.29 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block outbound requests to suspicious or internal IP addresses. Additionally, restrict the plugin's access to internal network resources by implementing network segmentation. Monitor WordPress logs for unusual outbound HTTP requests originating from the Church Admin plugin. After upgrading, verify the fix by attempting to access an internal resource through the plugin’s audio URL parameter and confirming that the request is blocked or properly sanitized.
Update to version 5.0.29, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-0682 is a Server-Side Request Forgery vulnerability in the Church Admin WordPress plugin, allowing authenticated administrators to make arbitrary web requests. It affects versions 0.0.0–5.0.28 and has a CVSS score of 2.2 (LOW).
You are affected if your WordPress site uses the Church Admin plugin and is running version 5.0.28 or earlier. Check your plugin version and upgrade immediately if necessary.
Upgrade the Church Admin plugin to version 5.0.29 or later. If immediate upgrade is not possible, implement a WAF rule to block suspicious outbound requests.
Currently, there is no public evidence of active exploitation of CVE-2026-0682, but it's crucial to apply the patch to mitigate potential risks.
Refer to the official WordPress security advisory and the Church Admin plugin's website for the latest information and updates regarding CVE-2026-0682.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.