CVE-2025-67877

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.5.3

Description ChurchCRM, an open-source church management system, contains a SQL injection issue. The vulnerability resides in the src/CartToFamily.php file, specifically in the handling of the PersonAddress POST parameter. The PersonAddress parameter lacks proper type casting, unlike other parameters in the same file, allowing for the injection of arbitrary SQL commands.

Recommendations Update to version 6.5.3 or later.