CVE-2024-37440 in Church Admin Plugininfo

Summary

by MITRE • 11/01/2024

Missing Authorization vulnerability in Andy Moyle Church Admin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Church Admin: from n/a through 4.4.4.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 01/22/2026

The vulnerability identified as CVE-2024-37440 represents a critical missing authorization flaw within the Church Admin application developed by Andy Moyle. This security weakness manifests as an incorrectly configured access control mechanism that permits unauthorized users to exploit functionality that should be restricted to authorized personnel only. The vulnerability exists across all versions of the software from the initial release through version 4.4.4, indicating a persistent issue that has not been adequately addressed in the application's security architecture.

The technical flaw stems from inadequate implementation of access control checks within the application's authorization framework. When users interact with the Church Admin system, the application fails to properly validate whether the requesting user possesses the necessary permissions to access specific functions or data. This misconfiguration allows malicious actors or unauthorized individuals to bypass normal security boundaries and gain access to administrative features, user data, or system configuration options that should remain protected. The vulnerability operates at the application layer and can be exploited through various attack vectors including direct API calls, web interface manipulation, or by leveraging session tokens from compromised accounts.

The operational impact of this vulnerability is significant and multifaceted. An attacker who successfully exploits this missing authorization flaw could potentially gain administrative privileges within the Church Admin system, enabling them to modify user accounts, alter church data, access sensitive information, or even disrupt system operations. The implications extend beyond simple data access, as the vulnerability could allow for privilege escalation attacks that compromise the entire application environment. Given that this is a church administration system, the compromised data could include personal information of church members, financial records, event details, and other confidential administrative data that organizations rely on for operational continuity and legal compliance.

Organizations utilizing the Church Admin application are strongly advised to implement immediate mitigations while awaiting official patches or updates from the vendor. The primary recommendation involves enforcing proper access control validation at all application entry points and ensuring that every function call includes robust authorization checks. Security teams should also implement network-level controls such as firewalls and intrusion detection systems to monitor for suspicious access patterns. Additionally, administrators should conduct thorough access reviews to ensure that only legitimate users possess the appropriate permissions within the system. This vulnerability aligns with CWE-285, which specifically addresses improper authorization issues, and could potentially map to ATT&CK techniques related to privilege escalation and credential access. Organizations should also consider implementing application whitelisting and monitoring for unauthorized access attempts to reduce the risk of exploitation.

Responsible

Patchstack

Reservation

06/09/2024

Disclosure

11/01/2024

Moderation

accepted

CPE

ready

EPSS

0.00332

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!