SQL Injection Vulnerability in ChurchCRM Affected Versions
CVE-2025-1134

9.3CRITICAL

Key Information:

Vendor

Churchcrm

Status
Vendor
CVE Published:
19 February 2025

What is CVE-2025-1134?

A vulnerability in ChurchCRM allows unauthorized users to execute arbitrary SQL queries through a boolean-based and time-based blind SQL Injection within the DonatedItemEditor functionality. The vulnerability is caused by the inadequate sanitization of the CurrentFundraiser parameter, which is directly concatenated into an SQL query. This oversight permits an attacker to manipulate the database, potentially leading to critical data exfiltration, modification, or deletion. Note that exploitation of this vulnerability requires Administrator privileges.

Affected Version(s)

ChurchCRM ChurchCRM 5.13.0 and prior

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Michael McInerney
.