CVE-2025-68109

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.5.3

Description ChurchCRM is an open-source church management system. The Database Restore functionality does not validate the content or file extension of uploaded files. This allows an attacker to upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. The Database Restore functionality is the affected component.

Recommendations Update ChurchCRM to version 6.5.3 to resolve this issue.

Exploit

Fix

RCE

Files Accessible to External Parties

Unrestricted File Upload

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-494CWE-915CWE-552CWE-434CWE-78

Related Identifiers

CVE-2025-68109

GHSA-PQM7-G8PX-9R77

Affected Products

Churchcrm

CVE-2025-68109

Weakness Enumeration

Related Identifiers

Affected Products

References · 9