PT-2026-57866 · Churchcrm · Churchcrm

Published

2026-07-13

·

Updated

2026-07-13

·

CVE-2026-58409

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.4.0
Description An authenticated administrator can achieve Remote Code Execution (RCE) by installing a malicious plugin ZIP archive containing a PHP webshell. The application includes php in its ALLOWED EXTENSIONS list, and the DENIED EXTENSIONS denylist fails to block standard .php files. Since extracted files are placed directly under the web root, any PHP file within the ZIP becomes executable via HTTP without requiring the plugin to be enabled through the user interface. The /plugins/install-url API route (management.php) allows an administrator to source the ZIP from an external HTTPS URL, validating it only against a provided SHA-256 hash.
Recommendations Update to version 7.4.0.

Fix

RCE

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58409

Affected Products

Churchcrm