Main Vulnerability Database Vulnerabilities #VU125688

#VU125688 SQL injection in ChurchCRM - CVE-2025-68112

Published: April 9, 2026

Vulnerability identifier: #VU125688

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-68112

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
ChurchCRM

Software vendor:
ChurchCRM

Description

The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in EditEventAttendees.php when handling a crafted EID parameter in POST requests. A remote user can send a specially crafted request to execute arbitrary SQL commands.

The issue affects the Event Attendee Editor functionality and does not require administrative privileges.

Remediation

Install security update from vendor's website.

External links

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hxf4-3vhp-wqcq
https://github.com/advisories/GHSA-hxf4-3vhp-wqcq

#VU125688 SQL injection in ChurchCRM - CVE-2025-68112

Description

Remediation

External links

Please verify you're human