Does Church Admin have any unpatched vulnerabilities?

No. All known vulnerabilities in Church Admin have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Church Admin compatible with WordPress 6.9.4?

According to WordPress.org data, Church Admin 5.0.30 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Church Admin compatible with PHP 7.0+?

Church Admin requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Church Admin updated?

Church Admin was last updated on Feb 6, 2026. Frequent updates are generally a positive security signal.

What is Church Admin's security score?

Church Admin has a WP-Safety security score of 87/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Church Admin Security & Risk Analysis

wordpress.org/plugins/church-admin

Organise and communicate church life, with associated Android and iOS app for your congregation.

1K active installs v5.0.30 PHP 7.0+ WP 5.0+ Updated Feb 6, 2026

calendarchurchmembershipschedulesermons

A · Safe

CVEs total26

Unpatched0

Last CVEJan 16, 2026

Plugin page Download

Safety Verdict

Is Church Admin Safe to Use in 2026?

Generally Safe

Score 87/100

Church Admin has a strong security track record. Known vulnerabilities have been patched promptly.

26 known CVEsLast CVE: Jan 16, 2026Updated 1mo ago

Risk Assessment

The "church-admin" plugin version 5.0.30 presents a mixed security posture. While it demonstrates good practices in output escaping (89% properly escaped) and utilizes a reasonable number of nonce and capability checks, significant concerns arise from its attack surface and taint analysis. Four of its eight AJAX handlers lack authentication checks, representing a direct pathway for unauthorized actions. The taint analysis is particularly worrying, with 60 high-severity flows and 72 flows with unsanitized paths, indicating a high likelihood of exploitable vulnerabilities in how user-supplied data is handled, even though no critical severity taint flows were detected.

The plugin's vulnerability history is a substantial red flag. With 26 known CVEs, including 5 high-severity ones, and a history of common vulnerability types such as SQL injection, XSS, SSRF, and unauthorized access, it suggests a persistent struggle with secure coding practices. The presence of "unserialize" as a dangerous function, coupled with the high number of unsanitized paths in taint analysis, further amplifies the risk of remote code execution or data breaches. The latest vulnerability listed in 2026 indicates the data might be predictive or historical, but the sheer volume of past issues points to ongoing security weaknesses.

In conclusion, while the plugin has some positive attributes like good output escaping, the high number of unprotected AJAX endpoints, critical taint analysis results, and a long history of diverse and severe vulnerabilities collectively paint a picture of a high-risk plugin. The prevalence of past vulnerabilities suggests that even with current efforts, the underlying codebase may contain recurring security flaws. It is strongly recommended that users exercise extreme caution and prioritize updating to a version with thoroughly addressed and verified security fixes.

Key Concerns

AJAX handlers without authentication checks
High number of high severity taint flows
High number of unsanitized paths in taint analysis
Use of 'unserialize' dangerous function
Low percentage of prepared SQL statements
Significant number of known CVEs (26 total)
High number of past high severity CVEs (5)
Common vulnerability types (SQLi, XSS, SSRF, etc.)

Vulnerabilities

Church Admin Security Vulnerabilities

CVEs by Year

1 CVE in 2015

2015

1 CVE in 2018

2018

1 CVE in 2022

2022

3 CVEs in 2023

2023

15 CVEs in 2024

2024

4 CVEs in 2025

2025

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

High

Medium

Low

26 total CVEs

CVE-2026-0682low · 2.2Server-Side Request Forgery (SSRF)

Church Admin <= 5.0.28 - Authenticated (Administrator+) Blind Server-Side Request Forgery via 'audio_url' Parameter

Jan 16, 2026 Patched in 5.0.29 (1d)

CVE-2025-57896medium · 5.3Missing Authorization

Church Admin <= 5.0.26 - Missing Authorization

Aug 22, 2025 Patched in 5.0.27 (4d)

CVE-2025-39553medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Church Admin <= 5.0.9 - Unauthenticated Information Disclosure

Apr 16, 2025 Patched in 5.0.10 (7d)

CVE-2025-39555medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Church Admin <= 5.0.23 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 16, 2025 Patched in 5.0.24 (7d)

CVE-2025-26941high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Church Admin <= 5.0.18 - Unauthenticated SQL Injection

Mar 13, 2025 Patched in 5.0.19 (41d)

CVE-2024-53795medium · 5.3Missing Authorization

Church Admin <= 5.0.8 - Missing Authorization

Dec 2, 2024 Patched in 5.0.9 (10d)

CVE-2024-50438medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Church Admin < 5.0.0 - Reflected Cross-Site Scripting

Oct 24, 2024 Patched in 5.0.0 (7d)

CVE-2024-37418high · 8.8Unrestricted Upload of File with Dangerous Type

Church Admin <= 4.4.6 - Authenticated (Subscriber+) Arbitrary File Upload

Jul 4, 2024 Patched in 4.4.7 (7d)

CVE-2024-37440medium · 5.3Missing Authorization

Church Admin <= 4.4.4 - Missing Authorization

Jun 28, 2024 Patched in 4.4.5 (5d)

CVE-2024-35764medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Church Admin <= 4.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 17, 2024 Patched in 4.4.5 (16d)

CVE-2024-35637medium · 5.5Server-Side Request Forgery (SSRF)

Church Admin <= 4.3.6 - Authenticated (Admin+) Server-Side Request Forgery

May 30, 2024 Patched in 4.4.0 (7d)

CVE-2024-34828medium · 4.3Cross-Site Request Forgery (CSRF)

Church Admin <= 4.1.32 - Cross-Site Request Forgery

May 9, 2024 Patched in 4.2.0 (7d)

CVE-2024-32090medium · 4.3Cross-Site Request Forgery (CSRF)

Church Admin <= 4.0.27 - Cross-Site Request Forgery

Apr 11, 2024 Patched in 4.0.28 (7d)

CVE-2024-31281medium · 4.3Missing Authorization

Church Admin <= 4.1.6 - Missing Authorization

Apr 5, 2024 Patched in 4.1.7 (7d)

CVE-2024-31280high · 8.8Unrestricted Upload of File with Dangerous Type

Church Admin <= 4.1.5 - Authenticated (Subscriber+) Arbitrary File Upload

Apr 5, 2024 Patched in 4.1.6 (7d)

CVE-2024-30493medium · 4.3Cross-Site Request Forgery (CSRF)

Church Admin <= 4.1.7 - Cross-Site Request Forgery

Mar 28, 2024 Patched in 4.1.8 (7d)

CVE-2024-30505medium · 4.3Missing Authorization

Church Admin <= 4.1.18 - Missing Authorization

Mar 28, 2024 Patched in 4.1.19 (7d)

CVE-2024-30244high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Church Admin <= 4.0.27 - Authenticated (Contributor+) SQL Injection

Mar 26, 2024 Patched in 4.0.28 (17d)

CVE-2024-30193medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Church Admin <= 4.1.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via meta-text

Mar 25, 2024 Patched in 4.1.18 (5d)

CVE-2024-30197medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Church Admin <= 4.0.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Mar 25, 2024 Patched in 4.0.27 (5d)

CVE-2023-38515medium · 5.5Server-Side Request Forgery (SSRF)

Church Admin <= 3.7.56 - Server-Side Request Forgery via church_admin_import_csv

Jul 26, 2023 Patched in 3.8.0 (181d)

CVE-2023-34021medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Church Admin <= 3.7.29 - Reflected Cross-Site Scripting

Jun 13, 2023 Patched in 3.7.30 (224d)

CVE-2023-30782medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Church Admin <= 3.7.5 - Reflected Cross-Site Scripting

Apr 18, 2023 Patched in 3.7.6 (280d)

CVE-2022-0833medium · 4.3Cross-Site Request Forgery (CSRF)

Church Admin <= 3.4.134 - Cross-Site Request Forgery leading to Plugin Backup Disclosure

Mar 7, 2022 Patched in 3.4.135 (687d)

CVE-2018-20971high · 8.8Cross-Site Request Forgery (CSRF)

Church Admin < 1.2550 - Cross-Site Request Forgery

Feb 14, 2018 Patched in 1.2550 (2169d)

CVE-2015-4127medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Church Admin < 0.810 - Stored Cross-Site Scripting

May 22, 2015 Patched in 0.810 (3168d)

Code Analysis

Analyzed Mar 16, 2026

Church Admin Code Analysis

Dangerous Functions

Raw SQL Queries

869

142 prepared

Unescaped Output

516

4128 escaped

Nonce Checks

195

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserializechurch_admin_email_send($row->recipient,$row->subject,$row->message,$from_name,$from_email,unserialichurch-admin.php:2910

unserialize$privacy=unserialize($row->privacy);display\directory.php:82

unserialize$privacy=unserialize($row->privacy);display\phone-list.php:39

unserialize$options_chosen = !empty($data->options)? unserialize($data->options) : array();includes\custom_fields.php:222

unserialize$options_chosen = !empty($data->options)? unserialize($data->options) : array();includes\custom_fields.php:247

unserializeif(!empty( $_POST['people'] ) )$people=unserialize(church_admin_get_people_id(sanitize_text_field( $includes\settings.php:1064

SQL Query Safety

14% prepared1011 total queries

Output Escaping

89% escaped4644 total outputs

Data Flows

72 unsanitized

Data Flow Analysis

25 flows72 with unsanitized paths

church_admin_edit_conditional_automation (includes\automations.php:280)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

Church Admin Attack Surface

Entry Points13

Unprotected4

AJAX Handlers 8

authwp_ajax_church_admin_calendar_date_displaychurch-admin.php:3566

noprivwp_ajax_church_admin_calendar_date_displaychurch-admin.php:3567

authwp_ajax_church_admin_image_uploadchurch-admin.php:3579

noprivwp_ajax_church_admin_image_uploadchurch-admin.php:3580

authwp_ajax_church_admin_calendar_event_displaychurch-admin.php:3618

noprivwp_ajax_church_admin_calendar_event_displaychurch-admin.php:3619

authwp_ajax_church_adminchurch-admin.php:3668

noprivwp_ajax_church_adminchurch-admin.php:3669

Shortcodes 5

[church_admin_unsubscribe] church-admin.php:2211

[church_admin_recent] church-admin.php:2217

[church_admin] church-admin.php:2225

[church_admin_map] church-admin.php:2227

[church_admin_register] church-admin.php:2311

WordPress Hooks 73

actionwp_loadedchurch-admin.php:81

actionwp_loadedchurch-admin.php:98

actionadmin_initchurch-admin.php:149

actioninitchurch-admin.php:660

actiondelete_userchurch-admin.php:1033

actionactivated_pluginchurch-admin.php:1051

actionload-church-adminchurch-admin.php:1055

actionadmin_bar_menuchurch-admin.php:1128

actionwp_enqueue_scriptschurch-admin.php:1138

actionadmin_enqueue_scriptschurch-admin.php:1139

actionwp_headchurch-admin.php:1173

actionwp_enqueue_scriptschurch-admin.php:1184

actionadmin_enqueue_scriptschurch-admin.php:1185

actionafter_setup_themechurch-admin.php:1476

actionadmin_enqueue_scriptschurch-admin.php:1501

actionwp_enqueue_scriptschurch-admin.php:1502

actionadmin_headchurch-admin.php:1507

actionwp_headchurch-admin.php:1524

actionadmin_menuchurch-admin.php:1547

actionwp_before_admin_bar_renderchurch-admin.php:1627

actioninitchurch-admin.php:2358

actioninitchurch-admin.php:2364

actionchurch_admin_bulk_emailchurch-admin.php:2883

filterplugin_row_metachurch-admin.php:2920

actionwp_trash_postchurch-admin.php:2934

actiontransition_post_statuschurch-admin.php:2950

actioninitchurch-admin.php:3198

actioninitchurch-admin.php:3205

actioninitchurch-admin.php:3297

actioninitchurch-admin.php:3345

actionadd_meta_boxeschurch-admin.php:3412

actionedit_form_after_titlechurch-admin.php:3414

actionsave_postchurch-admin.php:3467

filtermanage_bible-readings_posts_columnschurch-admin.php:3470

actionmanage_bible-readings_posts_custom_columnchurch-admin.php:3493

filterthe_contentchurch-admin.php:3556

actioninitchurch-admin.php:4786

actioninitchurch-admin.php:4898

filterlogin_redirectchurch-admin.php:4960

actionsave_postchurch-admin.php:4964

filtermanage_app-content_posts_columnschurch-admin.php:5031

actionmanage_app-content_posts_custom_columnchurch-admin.php:5040

actionadd_meta_boxeschurch-admin.php:5069

actionadmin_initchurch-admin.php:5145

actionchurch_admin_followup_emailchurch-admin.php:5151

actionchurch_admin_happy_birthday_emailchurch-admin.php:5480

actionchurch_admin_global_birthday_emailchurch-admin.php:5575

actionchurch_admin_happy_anniversary_emailchurch-admin.php:5680

actionchurch_admin_global_anniversary_emailchurch-admin.php:5771

actionchurch_admin_global_birthday_and_anniversary_emailchurch-admin.php:5893

actionchurch_admin_custom_fields_automationschurch-admin.php:6154

filterupload_dirchurch-admin.php:6219

filterwp_img_tag_add_decoding_attrdisplay\new-sermon-podcast.php:447

actionelementor/widgets/registerelementor\elementor.php:45

actionelementor/editor/before_enqueue_scriptselementor\elementor.php:55

actionelementor/elements/categories_registeredelementor\elementor.php:72

actionwp_enqueue_scriptsgutenberg\php-blocks.php:22

actionenqueue_block_editor_assetsgutenberg\php-blocks.php:128

actioninitgutenberg\php-blocks.php:219

filterwp_mail_fromincludes\email.php:40

filterwp_mail_from_nameincludes\email.php:41

filterwp_mail_content_typeincludes\email.php:42

actionwp_mail_failedincludes\functions.php:159

actionphpmailer_initincludes\functions.php:164

actionadmin_noticesincludes\functions.php:1672

filterwp_mail_content_typeincludes\functions.php:6141

filterwp_mail_fromincludes\functions.php:6852

filterwp_mail_from_nameincludes\functions.php:6853

filterwp_mail_content_typeincludes\functions.php:6854

actionadmin_headincludes\header.inc.php:5

actionwp_headincludes\header.inc.php:11

actionwp_headincludes\header.inc.php:13

actionchurch_admin_bulk_emailincludes\settings.php:156

Scheduled Events 4

church_admin_custom_fields_automations

church_admin_bulk_email

church_admin_followup_email

church_admin_bulk_email

Maintenance & Trust

Church Admin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 6, 2026

PHP min version7.0

Downloads458K

Community Trust

Rating94/100

Number of ratings17

Active installs1K

Alternatives

Church Admin Alternatives

Gym Studio Membership Management

gym-studio-membership-management

100

Gym Studio Membership Management adds class calendar, schedule of classes and membership checkout to your posts and pages.

90 No CVEs

Church Social

church-social

This plugin allows churches to display content from their Church Social account on their WordPress website.

80 No CVEs

Lightpost

lightpost

This plugin allows churches to display content from their Lightpost account on their Wordpress-based website.

0 No CVEs

The Events Calendar

the-events-calendar

The Events Calendar: #1 calendar plugin for WordPress. Create/manage events (virtual too!) on your site with the free plugin.

700K 25 CVEs

Timetable and Event Schedule by MotoPress

mp-timetable

Smart event organizer and time-management tool with a clean minimalist design for featuring your timetables and upcoming events.

30K 8 CVEs

Developer Profile

Church Admin Developer Profile

andy_moyle

5 plugins · 2K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

249 days

View full developer profile

Detection Fingerprints

How We Detect Church Admin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/church-admin/css/admin.css/wp-content/plugins/church-admin/css/admin_responsive.css/wp-content/plugins/church-admin/css/custom-fields.css/wp-content/plugins/church-admin/css/event-calendar.css/wp-content/plugins/church-admin/css/event-calendar-responsive.css/wp-content/plugins/church-admin/css/font-awesome.min.css/wp-content/plugins/church-admin/css/jquery-ui.min.css/wp-content/plugins/church-admin/css/responsive-calendar.css+32 more

Script Paths

/wp-content/plugins/church-admin/js/church-admin.js/wp-content/plugins/church-admin/js/church-admin_settings.js/wp-content/plugins/church-admin/js/admin.js

Version Parameters

church-admin/css/admin.css?ver=church-admin/css/admin_responsive.css?ver=church-admin/css/custom-fields.css?ver=church-admin/css/event-calendar.css?ver=church-admin/css/event-calendar-responsive.css?ver=church-admin/css/font-awesome.min.css?ver=church-admin/css/jquery-ui.min.css?ver=church-admin/css/responsive-calendar.css?ver=church-admin/css/responsive-table.css?ver=church-admin/css/site.css?ver=church-admin/css/site_responsive.css?ver=church-admin/css/table-sorter.css?ver=church-admin/js/admin.js?ver=church-admin/js/admin_people.js?ver=church-admin/js/calendar.js?ver=church-admin/js/chart.min.js?ver=church-admin/js/church-admin.js?ver=church-admin/js/church-admin_form.js?ver=church-admin/js/church-admin_menu.js?ver=church-admin/js/church-admin_people.js?ver=church-admin/js/church-admin_reports.js?ver=church-admin/js/church-admin_settings.js?ver=church-admin/js/custom_fields.js?ver=church-admin/js/date.js?ver=church-admin/js/datetimepicker.js?ver=church-admin/js/elementor-helper.js?ver=church-admin/js/gcalendar.js?ver=church-admin/js/jquery.autocomplete.js?ver=church-admin/js/jquery.datetimepicker.js?ver=church-admin/js/jquery.form.js?ver=church-admin/js/jquery.tablesorter.js?ver=church-admin/js/jquery-ui.min.js?ver=church-admin/js/main.js?ver=church-admin/js/moment.min.js?ver=church-admin/js/new-style.js?ver=church-admin/js/pdfmake.min.js?ver=church-admin/js/people.js?ver=church-admin/js/responsive-calendar.js?ver=church-admin/js/shortcode.js?ver=church-admin/js/vfs_fonts.js?ver=

HTML / DOM Fingerprints

CSS Classes

ca-yellowca-dashiconschurch-admin-add-personchurch-admin-form-wrapchurch-admin-people-navchurch-admin-people-titlechurch-admin-reporting-resultschurch-admin-section-title+18 more

HTML Comments

+21 more

Data Attributes

data-iddata-moduledata-sectiondata-typedata-actiondata-menu+7 more

JS Globals

church_admin_ajax_urlchurch_admin_varschurch_admin_people_varschurch_admin_calendar_varschurch_admin_form_varschurch_admin_menu_vars+19 more

REST Endpoints

/wp-json/church-admin/v1/people/wp-json/church-admin/v1/events/wp-json/church-admin/v1/settings

Shortcode Output

[church_admin_people][church_admin_events][church_admin_directory][church_admin_form]

FAQ