CVE-2025-1134

Name of the Vulnerable Software and Affected Versions ChurchCRM versions 5.13.0 and prior

Description A boolean-based and time-based blind SQL Injection vulnerability exists in the DonatedItemEditor functionality, allowing an attacker to execute arbitrary SQL queries. The CurrentFundraiser parameter is directly concatenated into an SQL query without sufficient sanitization, enabling an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion. This issue requires Administrator privileges.

Recommendations For ChurchCRM versions 5.13.0 and prior, consider disabling the DonatedItemEditor functionality until a patch is available to prevent exploitation of the SQL Injection vulnerability. Restrict access to the CurrentFundraiser parameter to minimize the risk of database query manipulation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.