Missing Authorization in ChurchCRM - #VU129697
Published: May 5, 2026
ChurchCRM
Detailed vulnerability description
The vulnerability allows a remote user to create new pledges without the required finance role.
The vulnerability exists due to missing authorization in src/PledgeEditor.php when creating a new pledge. A remote user can submit a crafted pledge creation request to create new pledges without the required finance role.
Editing an existing pledge performs a finance role check, but the new pledge path does not.