CVE-2024-35637 in Church Admin Plugin
Summary
by MITRE • 06/03/2024
Server-Side Request Forgery (SSRF) vulnerability in andy_moyle Church Admin church-admin.This issue affects Church Admin: from n/a through <= 4.3.6.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/02/2026
The CVE-2024-35637 vulnerability represents a critical server-side request forgery flaw within the Church Admin web application developed by andy_moyle. This vulnerability specifically impacts versions ranging from the initial release through version 4.3.6, creating a significant security risk for organizations utilizing this church management software. The vulnerability stems from insufficient input validation and improper handling of user-supplied URLs within the application's server-side processing logic, allowing malicious actors to manipulate the application's behavior by directing it to make requests to arbitrary destinations.
The technical implementation of this SSRF vulnerability occurs when the Church Admin application fails to properly sanitize or validate URLs submitted by users through various input fields or API endpoints. Attackers can exploit this weakness by crafting malicious requests that bypass normal access controls and potentially gain unauthorized access to internal systems or sensitive data. The vulnerability enables attackers to perform reconnaissance activities, access internal network resources, and potentially escalate their privileges within the affected environment. This flaw operates at the application layer and can be particularly dangerous in environments where the Church Admin application runs with elevated privileges or has access to internal network resources.
The operational impact of this vulnerability extends beyond simple data theft or unauthorized access, as it can enable attackers to conduct broader reconnaissance activities against internal systems. Organizations using affected versions of Church Admin may face risks including unauthorized data access, potential system compromise, and exposure of sensitive church information. The vulnerability's exploitation can lead to cascading security issues, particularly in environments where the application has access to internal databases, network services, or other critical infrastructure components. This risk is exacerbated by the fact that the vulnerability affects multiple versions, suggesting a persistent flaw in the application's architecture rather than a one-time coding error.
Mitigation strategies for CVE-2024-35637 should prioritize immediate patching of affected versions to version 4.3.7 or later, as this represents the most direct and effective solution. Organizations should implement network-level restrictions to prevent outbound connections from the Church Admin application to internal systems, particularly by configuring firewalls to block access to private IP ranges. Input validation controls should be strengthened to ensure all URL parameters are properly sanitized and validated against a whitelist of acceptable domains or patterns. This vulnerability aligns with CWE-918, which specifically addresses server-side request forgery flaws, and maps to ATT&CK technique T1071.004 for application layer protocol evasion. Regular security assessments and monitoring of application logs for suspicious outbound requests should be implemented as additional defensive measures to detect potential exploitation attempts.