CVE-2025-1133

Name of the Vulnerable Software and Affected Versions ChurchCRM versions 5.13.0 and prior

Description A boolean-based blind SQL Injection vulnerability exists in the EditEventAttendees functionality, allowing an attacker to execute arbitrary SQL queries. The EID parameter is directly concatenated into an SQL query without proper sanitization, making it susceptible to SQL injection attacks. An attacker can manipulate the query, potentially leading to data exfiltration, modification, or deletion. This issue requires Administrator privileges.

Recommendations For ChurchCRM versions 5.13.0 and prior, as a temporary workaround, consider disabling the EditEventAttendees functionality until a patch is available. Restrict access to the EID parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.