SB2026040984 - Multiple vulnerabilities in ChurchCRM
Published: April 9, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 12 secuirty vulnerabilities.
1) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2025-67875)
The vulnerability allows a remote user to execute arbitrary script in an administrator's browser and hijack the administrator's session.
The vulnerability exists due to cross-site scripting in the property assignment and profile rendering functionality when storing and displaying user-controlled property values on a user's profile page. A remote user can assign a specially crafted property value to another user's record to execute arbitrary script in an administrator's browser and hijack the administrator's session.
User interaction is required because the administrator must view the affected profile page, and exploitation requires permissions to edit records and manage properties and classifications.
2) SQL injection (CVE-ID: CVE-2025-68400)
The vulnerability allows a remote attacker to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in ConfirmReportEmail.php when handling the familyId parameter in requests to the legacy /Reports/ConfirmReportEmail.php endpoint. A remote attacker can send a specially crafted request to execute arbitrary SQL commands.
The endpoint remains directly reachable by URL even though it was removed from the user interface.
3) SQL injection (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in QueryView.php when processing the searchstring POST parameter in stored query templates. A remote attacker can send a specially crafted POST request to execute arbitrary SQL commands.
The issue is reachable through the reporting query menu, including the default Advanced Search stored query with QueryID 15.
4) Information disclosure (CVE-ID: CVE-2025-68110)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in StatementWrapper.php when handling database errors. A remote user can trigger an uncaught database exception to disclose sensitive information.
Exposed error messages may include the database host, IP address, username, and password.
5) SQL injection (CVE-ID: N/A)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to sql injection in the QueryView.php endpoint when handling the "searchstring" and "searchwhat" parameters in requests to /churchcrm/QueryView.php?QueryID=15. A remote user can send specially crafted parameter values to disclose sensitive information.
The vulnerable endpoint is accessible with low privileges.
6) SQL injection (CVE-ID: CVE-2025-66396)
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in src/UserEditor.php when processing the keys of the type POST parameter array while saving user configuration settings. A remote privileged user can send a specially crafted POST request to execute arbitrary SQL commands.
The injected key is concatenated into SELECT and UPDATE queries, and the issue can be exploited through time-based blind SQL injection.
7) SQL injection (CVE-ID: CVE-2025-66395)
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to improper neutralization of special elements used in an SQL command in src/ListEvents.php when processing the WhichType POST parameter while filtering events by type. A remote user can send a specially crafted POST request to execute arbitrary SQL commands.
The WhichType parameter is processed without enforcing an integer type before being concatenated into multiple SQL queries, and time-based blind SQL injection is possible.
8) SQL injection (CVE-ID: CVE-2025-68111)
The vulnerability allows a remote user to execute arbitrary SQL queries.
The vulnerability exists due to SQL injection in the eGive ReImport functionality in src/eGive.php when processing the MissingEgive_FamID_* POST parameter. A remote privileged user can send a specially crafted POST request to execute arbitrary SQL queries.
Exploitation requires the eGive import flow to reach the re-import form for missing eGive IDs.
9) SQL injection (CVE-ID: N/A)
The vulnerability allows a remote user to execute arbitrary SQL queries.
The vulnerability exists due to SQL injection in src/EventEditor.php when handling the EID POST parameter during event editing. A remote privileged user can send a specially crafted POST request to execute arbitrary SQL queries.
Exploitation requires event management permissions associated with the isAddEvent capability.
10) SQL injection (CVE-ID: CVE-2025-68112)
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in EditEventAttendees.php when handling a crafted EID parameter in POST requests. A remote user can send a specially crafted request to execute arbitrary SQL commands.
The issue affects the Event Attendee Editor functionality and does not require administrative privileges.
11) SQL injection (CVE-ID: CVE-2025-67877)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to SQL injection in /src/CartToFamily.php when handling the PersonAddress POST parameter in the Add to Family feature. A remote user can send a specially crafted POST request to disclose sensitive information.
Exploitation requires the Add Records permission.
12) Arbitrary file upload (CVE-ID: CVE-2025-68109)
The vulnerability allows a remote user to execute arbitrary code on the server.
The vulnerability exists due to unrestricted upload of file with dangerous type in the database restore functionality when uploading restore files. A remote privileged user can upload a web shell file and a crafted .htaccess file to execute arbitrary code on the server.
The uploaded web shell executes with the privileges of the web server user, and the impact extends beyond the application boundary.
Remediation
Install update from vendor's website.
References
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-fcw7-mmfh-7vjm
- https://github.com/advisories/GHSA-fcw7-mmfh-7vjm
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v54g-2pvg-gvp2
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-qc2c-qmw4-52fp
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-82mq-xc2j-3qv2
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-68mc-6p92-gfq6
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-whpp-wx64-4qp9
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-c9xf-f3gr-xfwv
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-c4vm-87vf-hmx9
- https://github.com/advisories/GHSA-c4vm-87vf-hmx9
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-w6vg-8qhh-37jm
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hxf4-3vhp-wqcq
- https://github.com/advisories/GHSA-hxf4-3vhp-wqcq
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-h3vq-9gr6-h9r4
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-pqm7-g8px-9r77
- https://github.com/advisories/GHSA-pqm7-g8px-9r77