CVE-2025-1023

Name of the Vulnerable Software and Affected Versions ChurchCRM versions 5.13.0 and prior

Description A time-based blind SQL Injection vulnerability exists in the EditEventTypes functionality, allowing an attacker to execute arbitrary SQL queries. The newCountName parameter is directly concatenated into an SQL query without proper sanitization, enabling an attacker to manipulate database queries and execute arbitrary commands. This could potentially lead to data exfiltration, modification, or deletion.

Recommendations For ChurchCRM versions 5.13.0 and prior, as a temporary workaround, consider disabling the EditEventTypes functionality until a patch is available. Restrict access to the newCountName parameter in the affected functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.