CVE-2024-34828 in Church Admin Plugininfo

Summary

by MITRE • 05/14/2024

Cross-Site Request Forgery (CSRF) vulnerability in andy_moyle Church Admin church-admin.This issue affects Church Admin: from n/a through <= 4.1.32.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/02/2026

The Cross-Site Request Forgery vulnerability identified as CVE-2024-34828 represents a critical security weakness in the Church Admin plugin for WordPress systems. This vulnerability specifically impacts versions ranging from the initial release through version 4.1.32, creating a persistent risk for churches and religious organizations that rely on this administrative tool for managing their digital presence. The flaw enables attackers to execute unauthorized actions on behalf of authenticated users, potentially compromising the integrity of church administrative functions and sensitive data.

The technical implementation of this CSRF vulnerability stems from the absence of proper anti-CSRF token validation within the plugin's request processing mechanisms. When users navigate to the affected plugin interface, the system fails to adequately verify the authenticity of requests originating from legitimate administrative sessions. This weakness allows malicious actors to craft deceptive requests that appear to come from authenticated users, exploiting the trust relationship between the web application and its users. The vulnerability manifests when users access malicious websites or click on compromised links while logged into their church administration panels, enabling attackers to perform actions such as modifying user permissions, altering church data, or executing administrative commands without proper authorization.

The operational impact of this vulnerability extends beyond simple data integrity concerns, potentially exposing sensitive church information including member details, financial records, and administrative configurations. Organizations utilizing the Church Admin plugin within the affected version range face significant risks of unauthorized modifications to their church databases, which could result in data loss, compromised user accounts, or even complete system takeover scenarios. The vulnerability particularly affects churches that depend heavily on digital administration tools for managing their congregational data, event scheduling, and financial transactions, making them attractive targets for cybercriminals seeking to exploit these administrative weaknesses.

Mitigation strategies for this CSRF vulnerability should prioritize immediate plugin updates to versions that have addressed the security flaw, as this represents the most effective remediation approach. Organizations should also implement additional security measures including the enforcement of proper CSRF token validation mechanisms, regular security audits of their WordPress installations, and the implementation of web application firewalls to monitor and filter suspicious requests. Security professionals should consider applying the principle of least privilege to administrative accounts and regularly review user permissions within the Church Admin system to minimize potential damage from successful exploitation attempts. This vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses, and may be exploited using techniques referenced in the ATT&CK framework under the T1566 category for initial access through social engineering or compromised credentials.

Reservation

05/09/2024

Disclosure

05/14/2024

Moderation

accepted

CPE

ready

EPSS

0.00253

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!