CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50438 – WordPress Church Admin plugin < 5.0.0 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-50438
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Andy Moyle Church Admin allows Reflected XSS.This issue affects Church Admin: from n/a before 5.0.0. The Church Admin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to 5.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-5-0-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37418 – WordPress Church Admin plugin <= 4.4.6 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-37418
Unrestricted Upload of File with Dangerous Type vulnerability in Andy Moyle Church Admin allows Upload a Web Shell to a Web Server.This issue affects Church Admin: from n/a through 4.4.6. La carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en Andy Moyle Church Admin permite cargar un Web Shell a un servidor web. Este problema afecta a Church Admin: desde n/a hasta 4.4.6. The Church Admin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 4.4.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-4-4-6-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37440 – WordPress Church Admin plugin <= 4.4.4 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-37440
Missing Authorization vulnerability in Andy Moyle Church Admin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Church Admin: from n/a through 4.4.4. The Church Admin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete-household cas in versions up to, and including, 4.4.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete households. • https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-4-4-4-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35764 – WordPress Church Admin plugin <= 4.4.4 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-35764
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Andy Moyle Church Admin allows Stored XSS.This issue affects Church Admin: from n/a through 4.4.4. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en Andy Moyle Church Admin permite XSS Almacenado. Este problema afecta a Church Admin: desde n/a hasta 4.4.4. The Church Admin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-4-4-4-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35637 – WordPress Church Admin plugin <= 4.3.6 - Server Side Request Forgery (SSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-35637
Server-Side Request Forgery (SSRF) vulnerability in Church Admin.This issue affects Church Admin: from n/a through 4.3.6. Vulnerabilidad de Server-Side Request Forgery (SSRF) en Church Admin. Este problema afecta a Church Admin: desde n/a hasta 4.3.6. The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.3.6. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services. • https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-4-3-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve • CWE-918: Server-Side Request Forgery (SSRF) •