REPORT / 01
Analysis Report · Folder Analysis cache/church-admin_5.0.28 → cache/church-admin_5.0.29 — CVE-2026-0682
Shared security patch analysis results
02 ·
Lifecycle actions
cancel · resume · skip · regenerate
03 ·
Share this analysis
copy link · embed report
03 ·
CVE Security Analysis & Writeups
ai-generated · per cve
Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.
CVE-2026-0682
NVD
AI-Generated Analysis
05 ·
Findings
filter · search · paginate
Showing 0 to 0 of 0 results
includes/sermon-podcast.php
AI: 5 vulnerabilities
1 false positive, 4 true positives
CVE-2026-0682
--- cache/church-admin_5.0.28/includes/sermon-podcast.php 2026-01-18 00:19:18.199687894 +0000+++ cache/church-admin_5.0.29/includes/sermon-podcast.php 2026-01-18 00:24:12.573973927 +0000@@ -693,6 +693,10 @@ //from 3.6.20 use WordPress native function $audiometadata=wp_read_audio_metadata( $path.$sanitizedFilename );+ if(empty($audiometadata)){+ echo'<div class="notice notice-danger">'.esc_html(__('File not recognised as an mp3','church-admin') ).'</div>';+ return;+ } $length=!empty( $audiometadata['length_formatted'] )?$audiometadata['length_formatted']:null; @@ -727,6 +731,7 @@ if(!empty( $_POST['private'] ) ) {$private="1";}else{$private="0";} $servicesArray= get_option('church_admin_services');+ if(empty($servicesArray)){$servicesArray=array();} if(!empty($form['service_name'])){ if(!in_array($form['service_name'],$servicesArray)){ $servicesArray[]=$form['service_name'];@@ -1035,7 +1040,7 @@ case "lithuanian": $url='https://api.preachingcentral.com/bible.php?passage='.$passage.'&version='.$version; - $ch = curl_init( $url);+ $ch = curl_init( esc_url($url)); curl_setopt( $ch,CURLOPT_FAILONERROR,true); curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1); $out='<p>';@@ -1169,21 +1174,17 @@ { $errors['content']=__('You need to upload an audio file or enter an audio or video url','church-admin'); }- /****************************************- * Handle if Google share url in audio_url- ***************************************/+ if(!empty( $form['audio_url'] ) ) {- $sqlsafe['audio_url']=$form['audio_url'];+ $sqlsafe['audio_url']=esc_sql($form['audio_url']); $audioURL=$form['audio_url'];- church_admin_debug('URL: '.$sqlsafe['audio_url']);- - $mimeType=church_admin_getRemoteMimeType( $sqlsafe['audio_url'] ); - $dot_and_ext = substr($sqlsafe['audio_url'] ,-4);- church_admin_debug($dot_and_ext);+ $mimeType=church_admin_getRemoteMimeType( $sqlsafe['audio_url'] );//doesn't work for all servers+ + $ext = substr($form['audio_url'],-4); - if( $mimeType!='audio/mpeg' && $dot_and_ext!='.mp3' ) {$errors['audio_url']=__('External file is not an mp3','church-admin');}+ if( $mimeType!='audio/mpeg' && $ext!='.mp3')$errors['audio_url']=__('External file is not an mp3','church-admin'); $length=!empty($form['external_duration'])?$form['external_duration']: NULL; @@ -1235,7 +1236,10 @@ $length=!empty( $audiometadata['length_formatted'] )?$audiometadata['length_formatted']:null; } if(empty($file_name))$ile_name=null;+ + $servicesArray= get_option('church_admin_services');+ if(empty($servicesArray)){$servicesArray=array();} if(!empty($form['service_name'])){ if(!in_array($form['service_name'],$servicesArray)){ $servicesArray[]=$form['service_name'];@@ -1244,13 +1248,17 @@ } }+++ /****************************** * Abort if there are errors ******************************/ if(!empty( $errors) ) { church_admin_debug("There were errors \r\n".print_r( $errors,TRUE) );- echo wp_kses_post('<p>'.implode('<br>',$errors).'</p>');+ echo '<div class="notice notice-danger">'.wp_kses_post('<p>'.implode('<br>',$errors)).'</p></div>'; church_admin_sermon_form( $data,$errors);+ return; } else {//save sermon@@ -1331,19 +1339,19 @@ if(empty($file_name)){$file_name=null;} //church_admin_debug("SQLSAFE data\r\n".print_r( $sqlsafe,TRUE) );- if ( empty( $file_id) )$file_id=$wpdb->get_var('SELECT file_id FROM '.$wpdb->prefix.'church_admin_sermon_files WHERE external_file="'.$sqlsafe['audio_url'].'" AND length="'.$length.'" AND private="'.$private.'" AND file_name="'.$file_name.'" AND file_title="'.$sqlsafe['file_title'].'" AND file_description="'.$sqlsafe['file_description'].'" AND service_id="'.$sqlsafe['service_id'].'" AND series_id="'.$sqlsafe['series_id'].'" AND speaker="'.$speaker.'"');+ if ( empty( $file_id) )$file_id=$wpdb->get_var('SELECT file_id FROM '.$wpdb->prefix.'church_admin_sermon_files WHERE external_file="'.esc_sql($form['audio_url']).'" AND length="'.$length.'" AND private="'.$private.'" AND file_name="'.$file_name.'" AND file_title="'.$sqlsafe['file_title'].'" AND file_description="'.$sqlsafe['file_description'].'" AND service_id="'.$sqlsafe['service_id'].'" AND series_id="'.$sqlsafe['series_id'].'" AND speaker="'.$speaker.'"'); //church_admin_debug( $wpdb->last_query); if(!empty( $file_id) ) {//update - $sql='UPDATE '.$wpdb->prefix.'church_admin_sermon_files SET embed_code="'.esc_sql( $embed_code ).'",external_file="'.$sqlsafe['audio_url'].'", video_url="'.$sqlsafe['video_url'].'",transcript="'.$transcript.'",file_subtitle="'.$sqlsafe['file_subtitle'].'",pub_date="'.$sqlsafe['pub_date'].'",length="'.$length.'", private="'.$private.'",last_modified="'.date("Y-m-d H:i:s" ).'",file_name="'.esc_sql($file_name).'" , file_title="'.$sqlsafe['file_title'].'" , file_description="'.$sqlsafe['file_description'].'" , service_id="'.$sqlsafe['service_id'].'",series_id="'.$sqlsafe['series_id'].'" , speaker="'.$speaker.'", bible_passages="'.$passages.'",bible_texts="'.$sqlsafe['passages'].'",file_slug="'.esc_sql(sanitize_title( $form['file_title'] ) ).'" WHERE file_id="'.esc_sql( $file_id).'"';+ $sql='UPDATE '.$wpdb->prefix.'church_admin_sermon_files SET embed_code="'.esc_sql( $embed_code ).'",external_file="'.esc_sql($form['audio_url']).'", video_url="'.esc_sql($form['video_url']).'",transcript="'.$transcript.'",file_subtitle="'.$sqlsafe['file_subtitle'].'",pub_date="'.$sqlsafe['pub_date'].'",length="'.$length.'", private="'.$private.'",last_modified="'.date("Y-m-d H:i:s" ).'",file_name="'.esc_sql($file_name).'" , file_title="'.$sqlsafe['file_title'].'" , file_description="'.$sqlsafe['file_description'].'" , service_id="'.$sqlsafe['service_id'].'",series_id="'.$sqlsafe['series_id'].'" , speaker="'.$speaker.'", bible_passages="'.$passages.'",bible_texts="'.$sqlsafe['passages'].'",file_slug="'.esc_sql(sanitize_title( $form['file_title'] ) ).'" WHERE file_id="'.esc_sql( $file_id).'"'; $wpdb->query( $sql); //church_admin_debug("DB Update \r\n".$wpdb->last_query); }//end update else {//insert- $sql='INSERT INTO '.$wpdb->prefix.'church_admin_sermon_files (file_name,file_title,file_subtitle,file_description,private,length,service_id,series_id,speaker,pub_date,last_modified,transcript,video_url,external_file,bible_passages,bible_texts,file_slug,embed_code)VALUES("'.esc_sql($file_name).'","'.$sqlsafe['file_title'].'","'.$sqlsafe['file_subtitle'].'","'.$sqlsafe['file_description'].'" ,"'.$private.'","'.$length.'","'.$sqlsafe['service_id'].'","'.$sqlsafe['series_id'].'","'.$speaker.'" ,"'.$sqlsafe['pub_date'].'","'.date("Y-m-d H:i:s" ).'","'.$transcript.'","'.$sqlsafe['video_url'].'","'.$sqlsafe['audio_url'].'","'.$passages.'","'.$sqlsafe['passages'].'","'.esc_sql(sanitize_title( $form['file_title'] ) ).'","'.esc_sql( $embed_code ).'")';+ $sql='INSERT INTO '.$wpdb->prefix.'church_admin_sermon_files (file_name,file_title,file_subtitle,file_description,private,length,service_id,series_id,speaker,pub_date,last_modified,transcript,video_url,external_file,bible_passages,bible_texts,file_slug,embed_code)VALUES("'.esc_sql($file_name).'","'.$sqlsafe['file_title'].'","'.$sqlsafe['file_subtitle'].'","'.$sqlsafe['file_description'].'" ,"'.$private.'","'.$length.'","'.$sqlsafe['service_id'].'","'.$sqlsafe['series_id'].'","'.$speaker.'" ,"'.$sqlsafe['pub_date'].'","'.date("Y-m-d H:i:s" ).'","'.$transcript.'","'.esc_sql($sqlsafe['video_url']).'","'.esc_sql($form['audio_url']).'","'.$passages.'","'.$sqlsafe['passages'].'","'.esc_sql(sanitize_title( $form['file_title'] ) ).'","'.esc_sql( $embed_code ).'")'; $wpdb->query( $sql); //church_admin_debug("DB Insert \r\n".$wpdb->last_query); $file_id=$wpdb->insert_id;
AI Analysis
I'll analyze this code diff for security vulnerabilities following the specified format.
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
**SQL Injection - CWE-89** - includes/sermon-podcast.php Lines 1176, 1179
Old Code:
```php
$sqlsafe['audio_url']=$form['audio_url'];
$audioURL=$form['audio_url'];
church_admin_debug('URL: '.$sqlsafe['audio_url']);
$mimeType=church_admin_getRemoteMimeType( $sqlsafe['audio_url'] );
$dot_and_ext = substr($sqlsafe['audio_url'] ,-4);
```
Fixed Code:
```php
$sqlsafe['audio_url']=esc_sql($form['audio_url']);
$audioURL=$form['audio_url'];
$mimeType=church_admin_getRemoteMimeType( $sqlsafe['audio_url'] );//doesn't work for all servers
$ext = substr($form['audio_url'],-4);
```
Explanation:
The original code used unsanitized user input (`$form['audio_url']`) directly in SQL queries without escaping. The fix applies `esc_sql()` to sanitize the audio URL before database operations, preventing SQL injection attacks where malicious SQL could be injected through the audio_url parameter.
---
**Vulnerability 2:**
Vulnerability Existed: yes
TRUE POSITIVE
**SQL Injection - CWE-89** - includes/sermon-podcast.php Line 1342
Old Code:
```php
if ( empty( $file_id) )$file_id=$wpdb->get_var('SELECT file_id FROM '.$wpdb->prefix.'church_admin_sermon_files WHERE external_file="'.$sqlsafe['audio_url'].'" AND length="'.$length.'" AND private="'.$private.'" AND file_name="'.$file_name.'" AND file_title="'.$sqlsafe['file_title'].'" AND file_description="'.$sqlsafe['file_description'].'" AND service_id="'.$sqlsafe['service_id'].'" AND series_id="'.$sqlsafe['series_id'].'" AND speaker="'.$speaker.'"');
```
Fixed Code:
```php
if ( empty( $file_id) )$file_id=$wpdb->get_var('SELECT file_id FROM '.$wpdb->prefix.'church_admin_sermon_files WHERE external_file="'.esc_sql($form['audio_url']).'" AND length="'.$length.'" AND private="'.$private.'" AND file_name="'.$file_name.'" AND file_title="'.$sqlsafe['file_title'].'" AND file_description="'.$sqlsafe['file_description'].'" AND service_id="'.$sqlsafe['service_id'].'" AND series_id="'.$sqlsafe['series_id'].'" AND speaker="'.$speaker.'"');
```
Explanation:
The SELECT query used unsanitized `$sqlsafe['audio_url']` (which was not escaped in the original code). The fix applies `esc_sql()` to the source data (`$form['audio_url']`) in the WHERE clause, preventing SQL injection through this query parameter.
---
**Vulnerability 3:**
Vulnerability Existed: yes
TRUE POSITIVE
**SQL Injection - CWE-89** - includes/sermon-podcast.php Line 1350
Old Code:
```php
$sql='UPDATE '.$wpdb->prefix.'church_admin_sermon_files SET embed_code="'.esc_sql( $embed_code ).'",external_file="'.$sqlsafe['audio_url'].'", video_url="'.$sqlsafe['video_url'].'",transcript="'.$transcript.'",file_subtitle="'.$sqlsafe['file_subtitle'].'",pub_date="'.$sqlsafe['pub_date'].'",length="'.$length.'", private="'.$private.'",last_modified="'.date("Y-m-d H:i:s" ).'",file_name="'.esc_sql($file_name).'" , file_title="'.$sqlsafe['file_title'].'" , file_description="'.$sqlsafe['file_description'].'" , service_id="'.$sqlsafe['service_id'].'",series_id="'.$sqlsafe['series_id'].'" , speaker="'.$speaker.'", bible_passages="'.$passages.'",bible_texts="'.$sqlsafe['passages'].'",file_slug="'.esc_sql(sanitize_title( $form['file_title'] ) ).'" WHERE file_id="'.esc_sql( $file_id).'"';
```
Fixed Code:
```php
$sql='UPDATE '.$wpdb->prefix.'church_admin_sermon_files SET embed_code="'.esc_sql( $embed_code ).'",external_file="'.esc_sql($form['audio_url']).'", video_url="'.esc_sql($form['video_url']).'",transcript="'.$transcript.'",file_subtitle="'.$sqlsafe['file_subtitle'].'",pub_date="'.$sqlsafe['pub_date'].'",length="'.$length.'", private="'.$private.'",last_modified="'.date("Y-m-d H:i:s" ).'",file_name="'.esc_sql($file_name).'" , file_title="'.$sqlsafe['file_title'].'" , file_description="'.$sqlsafe['file_description'].'" , service_id="'.$sqlsafe['service_id'].'",series_id="'.$sqlsafe['series_id'].'" , speaker="'.$speaker.'", bible_passages="'.$passages.'",bible_texts="'.$sqlsafe['passages'].'",file_slug="'.esc_sql(sanitize_title( $form['file_title'] ) ).'" WHERE file_id="'.esc_sql( $file_id).'"';
```
Explanation:
The UPDATE query contained unescaped values `$sqlsafe['audio_url']` and `$sqlsafe['video_url']`. The fix applies `esc_sql()` directly to the form input data (`$form['audio_url']` and `$form['video_url']`), preventing SQL injection through these fields in the UPDATE statement.
---
**Vulnerability 4:**
Vulnerability Existed: yes
TRUE POSITIVE
**SQL Injection - CWE-89** - includes/sermon-podcast.php Line 1357
Old Code:
```php
$sql='INSERT INTO '.$wpdb->prefix.'church_admin_sermon_files (file_name,file_title,file_subtitle,file_description,private,length,service_id,series_id,speaker,pub_date,last_modified,transcript,video_url,external_file,bible_passages,bible_texts,file_slug,embed_code)VALUES("'.esc_sql($file_name).'","'.$sqlsafe['file_title'].'","'.$sqlsafe['file_subtitle'].'","'.$sqlsafe['file_description'].'" ,"'.$private.'","'.$length.'","'.$sqlsafe['service_id'].'","'.$sqlsafe['series_id'].'","'.$speaker.'" ,"'.$sqlsafe['pub_date'].'","'.date("Y-m-d H:i:s" ).'","'.$transcript.'","'.$sqlsafe['video_url'].'","'.$sqlsafe['audio_url'].'","'.$passages.'","'.$sqlsafe['passages'].'","'.esc_sql(sanitize_title( $form['file_title'] ) ).'","'.esc_sql( $embed_code ).'")';
```
Fixed Code:
```php
$sql='INSERT INTO '.$wpdb->prefix.'church_admin_sermon_files (file_name,file_title,file_subtitle,file_description,private,length,service_id,series_id,speaker,pub_date,last_modified,transcript,video_url,external_file,bible_passages,bible_texts,file_slug,embed_code)VALUES("'.esc_sql($file_name).'","'.$sqlsafe['file_title'].'","'.$sqlsafe['file_subtitle'].'","'.$sqlsafe['file_description'].'" ,"'.$private.'","'.$length.'","'.$sqlsafe['service_id'].'","'.$sqlsafe['series_id'].'","'.$speaker.'" ,"'.$sqlsafe['pub_date'].'","'.date("Y-m-d H:i:s" ).'","'.$transcript.'","'.esc_sql($sqlsafe['video_url']).'","'.esc_sql($form['audio_url']).'","'.$passages.'","'.$sqlsafe['passages'].'","'.esc_sql(sanitize_title( $form['file_title'] ) ).'","'.esc_sql( $embed_code ).'")';
```
Explanation:
The INSERT query had unescaped `$sqlsafe['video_url']` and `$sqlsafe['audio_url']` values. The fix applies `esc_sql()` to properly escape these fields before insertion, preventing SQL injection vulnerabilities in the INSERT statement.
---
**Vulnerability 5:**
Vulnerability Existed: yes
TRUE POSITIVE
**Improper URL Validation - CWE-95/CWE-601** - includes/sermon-podcast.php Line 1043
Old Code:
```php
$ch = curl_init( $url);
```
Fixed Code:
```php
$ch = curl_init( esc_url($url));
```
Explanation:
The curl_init function received an unvalidated URL that could contain malicious code or protocols. The fix applies `esc_url()` to sanitize and validate the URL before passing it to curl_init, preventing potential code injection or SSRF (Server-Side Request Forgery) attacks through malicious URL schemes.
CVE Analysis Results:
CVE-2026-0682: Yes
View CVE Description
The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Showing 1 to 1 of 1 results