SQL Injection Vulnerability in ChurchCRM Affected Versions
CVE-2025-1134
9.3CRITICAL
What is CVE-2025-1134?
A vulnerability in ChurchCRM allows unauthorized users to execute arbitrary SQL queries through a boolean-based and time-based blind SQL Injection within the DonatedItemEditor functionality. The vulnerability is caused by the inadequate sanitization of the CurrentFundraiser parameter, which is directly concatenated into an SQL query. This oversight permits an attacker to manipulate the database, potentially leading to critical data exfiltration, modification, or deletion. Note that exploitation of this vulnerability requires Administrator privileges.
Affected Version(s)
ChurchCRM ChurchCRM 5.13.0 and prior