CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34021 – WordPress Church Admin Plugin <= 3.7.29 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-34021
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Andy Moyle Church Admin plugin <= 3.7.29 versions. The Church Admin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.7.29 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-3-7-29-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30782 – WordPress Church Admin Plugin <= 3.7.5 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-30782
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Andy Moyle Church Admin plugin <= 3.7.5 versions. The Church Admin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $what variable parameter in versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-3-7-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0833 – Church Admin < 3.4.135 - Unauthenticated Plugin's Backup Disclosure
https://notcve.org/view.php?id=CVE-2022-0833
The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin's DB data El plugin Church Admin de WordPress versiones anteriores a 3.4.135, no presenta autorización y CSRF en algunas de sus acciones, así como en los archivos solicitados, lo que permite a atacantes no autenticados solicitar repetidamente la acción "refresh-backup", y simultáneamente seguir solicitando un archivo temporal de acceso público generado por el plugin con el fin de divulgar el nombre del archivo de copia de seguridad final, que luego puede ser obtenido por el atacante para descargar la copia de seguridad de los datos de la base de datos del plugin The Church Admin plugin for WordPress is vulnerable to Unauthenticated Backup Disclosure in versions up to, and including, 3.4.134. Attackers can repeatedly request the "refresh-backup" action and simultaneously request a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename. Once obtaining that backup name, the plugin lacks sufficient protections to prevent accessing those files externally. This makes it possible for unauthenticated attackers to download the backup of the plugin's data once they conduct this attack, which requires a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/b2c7c1e8-d72c-4b1e-b5cb-dc2a6538965d • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20971 – Church Admin < 1.2550 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2018-20971
The church-admin plugin before 1.2550 for WordPress has CSRF affecting the upload of a bible reading plan. El plugin church-admin versiones anteriores a 1.2550 para WordPress, presenta una vulnerabilidad de tipo CSRF que afecta la carga de un plan de lectura de la biblia. • https://wordpress.org/plugins/church-admin/#developers • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2015-4127 – Church Admin < 0.810 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-4127
Cross-site scripting (XSS) vulnerability in the church_admin plugin before 0.810 for WordPress allows remote attackers to inject arbitrary web script or HTML via the address parameter, as demonstrated by a request to index.php/2015/05/21/church_admin-registration-form/. Vulnerabilidad de XSS en el plugin church_admin anterior a 0.810 para WordPress permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través del parámetro address, tal y como fue demostrado mediante una solicitud a index.php/2015/05/21/church_admin-registration-form/. • https://www.exploit-db.com/exploits/37112 http://packetstormsecurity.com/files/132034/WordPress-Church-Admin-0.800-Cross-Site-Scripting.html http://www.osvdb.org/121304 http://www.securityfocus.com/bid/74782 https://wordpress.org/plugins/church-admin/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •