CVE-2025-1135

Name of the Vulnerable Software and Affected Versions ChurchCRM versions 5.13.0 and prior

Description A boolean-based and time-based blind SQL Injection vulnerability exists in the BatchWinnerEntry functionality, allowing an attacker to execute arbitrary SQL queries. The CurrentFundraiser parameter is directly concatenated into an SQL query without sufficient sanitization, enabling an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion. This issue requires Administrator privileges.

Recommendations For ChurchCRM versions 5.13.0 and prior, as a temporary workaround, consider disabling the BatchWinnerEntry functionality until a patch is available. Restrict access to the CurrentFundraiser parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.