CVE-2025-67751

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.5.0

Description A SQL injection issue exists in the EventEditor.php file of ChurchCRM. The EN tyid POST parameter, used when creating a new event and selecting an event type, is not properly sanitized. This allows a user with event management permissions (isAddEvent) to execute arbitrary SQL queries.

Recommendations Update to version 6.5.0 or later.