CVE-2026-0682
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-17

Last updated on: 2026-01-17

Assigner: Wordfence

Description
The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-17
Last Modified
2026-01-17
Generated
2026-06-16
AI Q&A
2026-01-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0682
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
church_admin church_admin to 5.0.28 (inc)
church_admin church_admin 5.0.29
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow an attacker with Administrator privileges to make the server perform HTTP requests to arbitrary locations, including internal network services that are not normally accessible externally. This can lead to unauthorized access or modification of internal data, potentially exposing sensitive information or affecting internal systems.

Executive Summary

The vulnerability is a Server-Side Request Forgery (SSRF) in the Church Admin WordPress plugin affecting all versions up to and including 5.0.28. It occurs because the plugin does not properly validate user-supplied URLs in the 'audio_url' parameter. This allows authenticated attackers with Administrator-level access to make web requests from the web application to arbitrary locations, potentially querying or modifying information on internal services.

Mitigation Strategies

To mitigate the Server-Side Request Forgery vulnerability in the Church Admin WordPress plugin (CVE-2026-0682), you should update the plugin to a version later than 5.0.28, as all versions up to and including 5.0.28 are vulnerable. Additionally, restrict Administrator-level access to trusted users only, since the vulnerability requires authenticated Administrator privileges. Applying the latest security patches and following best practices for user permissions will help reduce risk. [5]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0682. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart