CVE-2025-66396

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.5.3

Description ChurchCRM is an open-source church management system. A SQL injection issue exists in the src/UserEditor.php file. When an administrator saves a user’s configuration settings, the keys of the type POST parameter array are not properly sanitized before being used in SQL queries. This allows a malicious or compromised administrator account to execute arbitrary SQL commands, including time-based blind SQL injection attacks, to directly interact with the database. The vulnerability is located in the logic that handles saving user-specific configuration settings. The type parameter from the POST request is processed as an array, and the key of this array is used in SQL queries without sanitization. This can be used to exfiltrate, modify, or delete data, and potentially lead to further system compromise. The vulnerability requires administrator privileges to exploit.

Recommendations Update ChurchCRM to version 6.5.3 or later.