CVE-2025-1132

Name of the Vulnerable Software and Affected Versions ChurchCRM versions 5.13.0 and prior

Description A time-based blind SQL Injection vulnerability exists in the EditEventAttendees.php file within the EN tyid parameter. The parameter is directly inserted into an SQL query without proper sanitization, allowing attackers to inject malicious SQL commands. This flaw can potentially allow attackers to delay the response, indicating the presence of an SQL injection vulnerability. While it is a time-based blind injection, it can be exploited to gain insights into the underlying database, and with further exploitation, sensitive data could be retrieved. The vulnerability requires Administrator permissions.

Recommendations For ChurchCRM versions 5.13.0 and prior, as a temporary workaround, consider restricting access to the EditEventAttendees.php file and the EN tyid parameter to minimize the risk of exploitation. Avoid using the EN tyid parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.