Server-Side Request Forgery Vulnerability in ChurchCRM by ChurchCRM
CVE-2025-3954
Key Information:
Badges
What is CVE-2025-3954?
A security vulnerability has been identified in ChurchCRM 5.16.0, specifically within the Referer Handler component. This issue allows for server-side request forgery, enabling attackers to execute unauthorized requests from the server. The vulnerability can be exploited remotely, although it is considered complex to execute, requiring an advanced understanding of the system's configurations and potential entry points. The vendor was notified of this serious security concern but has not provided any public response or patch. This situation highlights the need for prompt action and protection mechanisms for users and administrators.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
ChurchCRM 5.16.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
