CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35764 – WordPress Church Admin plugin <= 4.4.4 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-35764
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Andy Moyle Church Admin allows Stored XSS.This issue affects Church Admin: from n/a through 4.4.4. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en Andy Moyle Church Admin permite XSS Almacenado. Este problema afecta a Church Admin: desde n/a hasta 4.4.4. The Church Admin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-4-4-4-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38515 – WordPress Church Admin Plugin <= 3.7.56 is vulnerable to Server Side Request Forgery (SSRF)
https://notcve.org/view.php?id=CVE-2023-38515
Server-Side Request Forgery (SSRF) vulnerability in Andy Moyle Church Admin.This issue affects Church Admin: from n/a through 3.7.56. Vulnerabilidad de Server-Side Request Forgery (SSRF) en Andy Moyle Church Admin. Este problema afecta a Church Admin: desde n/a hasta 3.7.56. The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.7.56 via the church_admin_import_csv function when importing from a csv file. This can allow authenticated attackers with administrator access to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. • https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-3-7-56-server-side-request-forgery-ssrf-vulnerability?_s_id=cve • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34021 – WordPress Church Admin Plugin <= 3.7.29 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-34021
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Andy Moyle Church Admin plugin <= 3.7.29 versions. The Church Admin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.7.29 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/church-admin/wordpress-church-admin-plugin-3-7-29-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0833 – Church Admin < 3.4.135 - Unauthenticated Plugin's Backup Disclosure
https://notcve.org/view.php?id=CVE-2022-0833
The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin's DB data El plugin Church Admin de WordPress versiones anteriores a 3.4.135, no presenta autorización y CSRF en algunas de sus acciones, así como en los archivos solicitados, lo que permite a atacantes no autenticados solicitar repetidamente la acción "refresh-backup", y simultáneamente seguir solicitando un archivo temporal de acceso público generado por el plugin con el fin de divulgar el nombre del archivo de copia de seguridad final, que luego puede ser obtenido por el atacante para descargar la copia de seguridad de los datos de la base de datos del plugin The Church Admin plugin for WordPress is vulnerable to Unauthenticated Backup Disclosure in versions up to, and including, 3.4.134. Attackers can repeatedly request the "refresh-backup" action and simultaneously request a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename. Once obtaining that backup name, the plugin lacks sufficient protections to prevent accessing those files externally. This makes it possible for unauthenticated attackers to download the backup of the plugin's data once they conduct this attack, which requires a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/b2c7c1e8-d72c-4b1e-b5cb-dc2a6538965d • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2015-4127 – Church Admin < 0.810 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-4127
Cross-site scripting (XSS) vulnerability in the church_admin plugin before 0.810 for WordPress allows remote attackers to inject arbitrary web script or HTML via the address parameter, as demonstrated by a request to index.php/2015/05/21/church_admin-registration-form/. Vulnerabilidad de XSS en el plugin church_admin anterior a 0.810 para WordPress permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través del parámetro address, tal y como fue demostrado mediante una solicitud a index.php/2015/05/21/church_admin-registration-form/. • https://www.exploit-db.com/exploits/37112 http://packetstormsecurity.com/files/132034/WordPress-Church-Admin-0.800-Cross-Site-Scripting.html http://www.osvdb.org/121304 http://www.securityfocus.com/bid/74782 https://wordpress.org/plugins/church-admin/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •