CVE-2025-66395

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.5.3

Description ChurchCRM is an open-source church management system. A SQL injection issue exists in the src/ListEvents.php file. The WhichType POST parameter is not properly sanitized before being used in SQL queries. This allows an authenticated user to execute arbitrary SQL commands, potentially leading to the exfiltration, modification, or deletion of data, including user credentials and financial information. Any authenticated user, regardless of their privilege level, can execute arbitrary queries on the database.

Recommendations Update to version 6.5.3 or later.