Church Admin <= 4.1.5 - Authenticated (Subscriber+) Arbitrary File Upload

Wordfence Intelligence   >   Vulnerability Database   >   Church Admin <= 4.1.5 - Authenticated (Subscriber+) Arbitrary File Upload
8.8
Unrestricted Upload of File with Dangerous Type
CVE CVE-2024-31280
CVSS 8.8 (High)
Publicly Published April 5, 2024
Last Updated April 11, 2024
Researcher Peng Zhou

Description

The Church Admin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 4.1.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Learn more about Arbitrary File Upload vulnerabilities and how to prevent them.

References

Share

Vulnerability Details for Church Admin

Church Admin

Software Type Plugin
Software Slug church-admin (view on wordpress.org)
Patched? Yes
Remediation Update to version 4.1.6, or a newer patched version
Affected Version
  • <= 4.1.5
Patched Version
  • 4.1.6

Recent vulnerabilities in Church Admin

Church Admin <= 5.0.28 - Authenticated (Administrator+) Blind Server-Side Request Forgery via 'audio_url' Parameter
2.2
CVE-2026-0682
Jan 16, 2026
Researcher: Phap Nguyen Anh
Church Admin <= 5.0.26 - Missing Authorization
5.3
CVE-2025-57896
Aug 22, 2025
Researcher: D01EXPLOIT OFFICIAL
Church Admin <= 5.0.23 - Authenticated (Contributor+) Stored Cross-Site Scripting
6.4
CVE-2025-39555
Apr 16, 2025
Researcher: zaim
Church Admin <= 5.0.9 - Unauthenticated Information Disclosure
5.3
CVE-2025-39553
Apr 16, 2025
Researcher: Kévin Mosbahi (Mika)
Church Admin <= 5.0.18 - Unauthenticated SQL Injection
7.5
CVE-2025-26941
Mar 13, 2025
Researcher: NAWardRox
Church Admin <= 5.0.8 - Missing Authorization
5.3
CVE-2024-53795
Dec 2, 2024
Researcher: Kévin Mosbahi (Mika)
Church Admin < 5.0.0 - Reflected Cross-Site Scripting
6.1
CVE-2024-50438
Oct 24, 2024
Researcher: Le Ngoc Anh
Church Admin <= 4.4.6 - Authenticated (Subscriber+) Arbitrary File Upload
8.8
CVE-2024-37418
Jul 4, 2024
Researcher: Peng Zhou
Church Admin <= 4.4.4 - Missing Authorization
5.3
CVE-2024-37440
Jun 28, 2024
Researcher: Ngô Thiên An (ancorn_)
Church Admin <= 4.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
6.4
CVE-2024-35764
Jun 17, 2024
Researcher: Ngô Thiên An (ancorn_)
# Title CVE ID CVSS Researchers Date
1 Church Admin <= 5.0.28 - Authenticated (Administrator+) Blind Server-Side Request Forgery via 'audio_url' Parameter CVE-2026-0682 2.2 Phap Nguyen Anh January 16, 2026
2 Church Admin <= 5.0.26 - Missing Authorization CVE-2025-57896 5.3 D01EXPLOIT OFFICIAL August 22, 2025
3 Church Admin <= 5.0.23 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-39555 6.4 zaim April 16, 2025
4 Church Admin <= 5.0.9 - Unauthenticated Information Disclosure CVE-2025-39553 5.3 Kévin Mosbahi (Mika) April 16, 2025
5 Church Admin <= 5.0.18 - Unauthenticated SQL Injection CVE-2025-26941 7.5 NAWardRox March 13, 2025
6 Church Admin <= 5.0.8 - Missing Authorization CVE-2024-53795 5.3 Kévin Mosbahi (Mika) December 2, 2024
7 Church Admin < 5.0.0 - Reflected Cross-Site Scripting CVE-2024-50438 6.1 Le Ngoc Anh October 24, 2024
8 Church Admin <= 4.4.6 - Authenticated (Subscriber+) Arbitrary File Upload CVE-2024-37418 8.8 Peng Zhou July 4, 2024
9 Church Admin <= 4.4.4 - Missing Authorization CVE-2024-37440 5.3 Ngô Thiên An (ancorn_) June 28, 2024
10 Church Admin <= 4.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-35764 6.4 Ngô Thiên An (ancorn_) June 17, 2024
View more vulnerabilities in this software package View more vulnerabilities

This record contains material that is subject to copyright.

Copyright 2012-2026 Defiant Inc.

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more.

Copyright 1999-2026 The MITRE Corporation

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation