Main Vulnerability Database Exploits ID:12590 - Exploit for Arbitrary file upload in ChurchCRM - CVE-2025-68109

ID:12590 - Exploit for Arbitrary file upload in ChurchCRM - CVE-2025-68109

Published: April 15, 2026

Vulnerability identifier: #VU125718

Vulnerability risk: Low

CVE-ID: CVE-2025-68109

CWE-ID: CWE-434

Exploitation vector: Remote access

Vulnerable software:
ChurchCRM

Link to public exploit:

https://www.rapid7.com/db/modules/exploit/multi/http/churchcrm_db_restore_rce

Vulnerability description

The vulnerability allows a remote user to execute arbitrary code on the server.

The vulnerability exists due to unrestricted upload of file with dangerous type in the database restore functionality when uploading restore files. A remote privileged user can upload a web shell file and a crafted .htaccess file to execute arbitrary code on the server.

The uploaded web shell executes with the privileges of the web server user, and the impact extends beyond the application boundary.

Remediation

Install security update from vendor's website.

ID:12590 - Exploit for Arbitrary file upload in ChurchCRM - CVE-2025-68109

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human