A critical vulnerability, CVE-2024-31280, has been discovered in the Church Admin WordPress plugin, affecting versions up to 4.1.5. This vulnerability allows for the unrestricted upload of files with dangerous types, posing a severe security threat to affected websites. Attackers could exploit this vulnerability to upload malicious files, including backdoors, which could then be executed to gain unauthorized access to the website.
Patchstack, the active Vulnerability Disclosure Platform (VDP) for this plugin, has classified the patch priority as high and recommends immediate mitigation. The fixed version, 4.1.6, addresses this vulnerability. Websites using the vulnerable versions are urged to update to version 4.1.6 or later to eliminate the risk. Patchstack has issued a virtual patch to block potential attacks until websites can be updated to the fixed version.
Given the high severity of this vulnerability, website administrators are strongly advised to take action promptly. Mitigation steps include updating the plugin to the latest version and implementing additional security measures to protect against potential exploits. By prioritizing security updates and staying vigilant against emerging threats, website owners can safeguard their online assets from malicious attacks.
