The plugin does not have CSRF checks in place when uploading Sermon files, and does not validate them in any way, allowing attackers to make a logged in admin upload arbitrary files such as PHP ones.
Or, as admin, upload a PHP file via the Sermon > Files feature of the plugin. The file will be at https://example.com/wp-content/uploads/sermons/file.php
CPE | Name | Operator | Version |
---|---|---|---|
sermon-browser | eq | * |