SQL Injection Vulnerability in ChurchCRM by ChurchCRM
CVE-2025-1133

9.3CRITICAL

Key Information:

Vendor: Churchcrm
Status: Churchcrm
Vendor: CVE Published:; 19 February 2025

Summary

A vulnerability has been identified in ChurchCRM versions up to 5.13.0 that could allow attackers to execute arbitrary SQL queries via the EditEventAttendees functionality. The EID parameter is directly added into the SQL query without proper input sanitization, making it vulnerable to exploitation through boolean-based blind SQL injection. This weakness can permit attackers with Administrator privileges to manipulate the database, potentially leading to unauthorized access, data exfiltration, modification, or even deletion of critical information.

Affected Version(s)

ChurchCRM ChurchCRM 5.13.0 and prior

References

https://github.com/ChurchCRM/CRM/issues/7252

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Feb 19, 2025
Vulnerability Reserved
Feb 8, 2025

Credit

Michael McInerney