CVE-2026-61983 in Church Admin Plugin
Summary
by MITRE • 07/13/2026
Missing Authorization vulnerability in andy_moyle Church Admin church-admin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Church Admin: from n/a through <= 5.0.30.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/13/2026
This vulnerability represents a critical missing authorization flaw that undermines the access control mechanisms within the Church Admin application developed by andy_moyle. The security weakness stems from incorrectly configured access control security levels that fail to properly validate user permissions before granting access to administrative functions. This type of vulnerability falls under the CWE-285 category, which specifically addresses improper authorization issues in software applications. The flaw allows unauthorized users to potentially exploit administrative functionalities without proper authentication or authorization, creating a significant risk for organizations relying on this church management system.
The technical implementation of this vulnerability manifests through insufficient validation of user roles and permissions within the application's security framework. When users interact with the church-admin system, the application should verify that each request originates from an authenticated and authorized user with appropriate administrative privileges. However, due to the incorrectly configured access control levels, these verification checks are either absent or improperly implemented, allowing malicious actors to bypass normal authentication procedures. This misconfiguration creates a pathway for privilege escalation attacks where users without proper authorization can access sensitive administrative functions.
The operational impact of this vulnerability extends beyond simple unauthorized access, potentially enabling complete compromise of church administrative data and systems. An attacker exploiting this flaw could gain access to confidential information including member records, financial data, event schedules, and other sensitive church administration details. The vulnerability affects all versions from the baseline through 5.0.30, indicating a prolonged period during which organizations using this software were exposed to potential exploitation. This widespread impact suggests that many churches may have been unknowingly vulnerable to attacks targeting their administrative systems.
Organizations utilizing Church Admin version 5.0.30 and earlier should immediately implement mitigations including updating to the latest available version where the authorization flaw has been addressed. Additionally, administrators should review and tighten access control configurations within their existing deployments, implementing proper role-based access controls and ensuring all administrative functions require explicit authorization. The remediation efforts should align with industry standards such as those recommended in the NIST Cybersecurity Framework and should incorporate principles from the MITRE ATT&CK framework, particularly focusing on privilege escalation and defense evasion techniques that attackers might employ through such authorization bypass vulnerabilities. Regular security audits and penetration testing should be conducted to verify proper access control implementation and prevent similar configuration errors from occurring in other system components.