CVE-2025-57896: 
WordPress vulnerability analysis and mitigation

The Church Admin WordPress plugin contains a Missing Authorization vulnerability (CVE-2025-57896) discovered on August 22, 2025. This security issue affects all versions of Church Admin up to and including version 5.0.26, allowing unauthenticated attackers to exploit incorrectly configured access control security levels (Patchstack).

The vulnerability is classified as a Broken Access Control issue with a CVSS v3.1 Base Score of 5.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The technical nature of the vulnerability stems from a missing capability check on a function that enables unauthenticated users to perform unauthorized actions. The issue has been assigned CWE-862 (Missing Authorization) (Rapid7, Patchstack).

The vulnerability allows unauthenticated attackers to perform unauthorized actions within the Church Admin plugin. While the integrity impact is rated as Low, with no direct effect on confidentiality or availability, the vulnerability presents a security risk due to its unauthenticated nature (Patchstack).

The vulnerability has been patched in version 5.0.27 of the Church Admin plugin. Users are advised to update to this version or later to resolve the security issue. The fix addresses the broken access control vulnerability by implementing proper authorization checks (Patchstack).