Description
Missing Authorization vulnerability in andy_moyle Church Admin church-admin.This issue affects Church Admin: from n/a through <= 5.0.9.
Published: 2025-09-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Missing Authorization flaw in the Church Admin plugin that allows an attacker to access sensitive data. It leads to information disclosure without granting execution or denial of service capabilities. The weakness is classified under CWE‑862: Missing Authorization.

Affected Systems

The affected product is the WordPress plugin Church Admin by andy_moyle. All releases from the initial version through 5.0.9 are vulnerable; newer versions are not listed as affected.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. The EPSS score of less than 1 % suggests a very low likelihood of exploitation, and the vulnerability is not listed in CISA KEV. The most likely attack vector is a remote HTTP request to the plugin’s endpoints directed at a WordPress site where the plugin is installed; an attacker would need to have network access to the WordPress installation. No public exploit code is documented, and the flaw is not an escalation to higher privileges beyond sensitive data access.

Generated by OpenCVE AI on April 30, 2026 at 15:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Church Admin plugin to a version newer than 5.0.9 to apply the vendor’s fix.
  • If an immediate update is not possible, temporarily disable or remove the plugin to eliminate the exposure until a patch can be applied.
  • Perform a security audit of the site’s other plugins and settings to ensure sufficient authorization controls and apply any necessary patches or configurations.

Generated by OpenCVE AI on April 30, 2026 at 15:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27443 Missing Authorization vulnerability in andy_moyle Church Admin. This issue affects Church Admin: from n/a through 5.0.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in andy_moyle Church Admin. This issue affects Church Admin: from n/a through 5.0.9. Missing Authorization vulnerability in andy_moyle Church Admin church-admin.This issue affects Church Admin: from n/a through <= 5.0.9.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Tue, 09 Sep 2025 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Sep 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 09 Sep 2025 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in andy_moyle Church Admin. This issue affects Church Admin: from n/a through 5.0.9.
Title WordPress Church Admin plugin <= 5.0.9 - Sensitive Data Exposure vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:34.618Z

Reserved: 2025-04-16T06:24:54.680Z

Link: CVE-2025-39553

cve-icon Vulnrichment

Updated: 2025-09-09T17:49:55.227Z

cve-icon NVD

Status : Deferred

Published: 2025-09-09T17:15:45.677

Modified: 2026-04-23T15:29:46.720

Link: CVE-2025-39553

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:30:16Z

Weaknesses