CVE-2026-42289

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.3.2

Description ChurchCRM is an open-source church management system. The UserEditor.php file processes user account creation and permission updates using $ POST parameters without validating Cross-Site Request Forgery (CSRF) tokens. CSRF is a technique where an attacker tricks a victim into performing actions they did not intend to do. An unauthenticated attacker can use a malicious HTML page to silently elevate a low-privilege user to administrator status or create a new administrator backdoor account if an authenticated administrator visits the page.

Recommendations Update to version 7.3.2.