CVE-2025-62521

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 5.21.0

Description ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution issue exists in the setup wizard. Unauthenticated attackers can inject arbitrary PHP code during the initial installation process, potentially leading to complete server compromise. The issue is located in setup/routes/setup.php, where user input from the setup form is directly concatenated into a PHP configuration template without validation or sanitization. Any parameter in the setup form can be used to inject PHP code that is written to Include/Config.php and subsequently executed on every page load. The vulnerability is more severe than typical authenticated remote code execution issues because it requires no credentials and affects the installation process.

Recommendations Versions prior to 5.21.0 should be updated to version 5.21.0 or later.