PT-2026-57866 · Churchcrm · Churchcrm
Published
2026-07-13
·
Updated
2026-07-13
·
CVE-2026-58409
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
ChurchCRM versions prior to 7.4.0
Description
An authenticated administrator can achieve Remote Code Execution (RCE) by installing a malicious plugin ZIP archive containing a PHP webshell. The application includes
php in its ALLOWED EXTENSIONS list, and the DENIED EXTENSIONS denylist fails to block standard .php files. Since extracted files are placed directly under the web root, any PHP file within the ZIP becomes executable via HTTP without requiring the plugin to be enabled through the user interface. The /plugins/install-url API route (management.php) allows an administrator to source the ZIP from an external HTTPS URL, validating it only against a provided SHA-256 hash.Recommendations
Update to version 7.4.0.
Fix
RCE
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Churchcrm