CVE-2025-1134: Critical Vulnerability in ChurchCRM

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the DonatedItemEditor functionality. The CurrentFundraiser parameter is directly concatenated into an SQL query without sufficient sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion. Please note that this vulnerability requires Administrator privileges.

With a CVSS score of 9.3, this vulnerability is classified as critical. The potential for exploitation is significant, given that it allows for complete control over the database. Organizations using affected versions of ChurchCRM should take immediate action to mitigate this risk.

Risk to organizations includes unauthorized access to sensitive information, potential data breaches, and significant operational disruptions. Given the nature of the vulnerability and its requirements for Administrator privileges, the urgency to address this issue cannot be overstated.

Organizations should prioritize patching immediately. The impact of failing to address this vulnerability may lead to severe consequences.

Vulnerability Details

The vulnerability is characterized as a SQL injection issue, specifically a boolean-based and time-based blind SQL Injection. It allows attackers to execute arbitrary SQL commands that can lead to data exfiltration, modification, or deletion. The CVSS score of 9.3 indicates a critical severity level, highlighting the significant potential impact on confidentiality, integrity, and availability. This vulnerability affects the ChurchCRM software, specifically versions 5.13.0 and prior, and was published on February 19, 2025.

Technical Analysis

The root cause of this vulnerability stems from improper input handling in the DonatedItemEditor functionality. The CurrentFundraiser parameter is concatenated directly into an SQL query without appropriate sanitization, facilitating SQL injection attacks. The attack vector is network-based, and the complexity of the attack is low, requiring high privileges to exploit. No user interaction is necessary, and the potential impacts are significant across confidentiality, integrity, and availability.

Risk & Impact Analysis

Real-world deployment risk is high, as organizations utilizing ChurchCRM may inadvertently expose sensitive data through this vulnerability. The blast radius potential is broad, affecting all instances of the application running the vulnerable versions. Organizations must recognize the urgency of addressing this vulnerability based on the critical CVSS score and the potential for exploitation.

Exploitation Status

Affected Versions

All versions prior to vendor patch, specifically ChurchCRM versions 5.13.0 and earlier are affected by this vulnerability.

Mitigation & Remediation

Organizations should prioritize patching immediately. Upgrade to the latest version of ChurchCRM that addresses this vulnerability. If a patch is not available, consider implementing input validation and sanitization mechanisms to mitigate SQL injection risks. Additionally, implementing network controls to restrict administrative access can help limit exposure.

Detection Guidance

Monitor logs for unusual SQL query patterns, especially those that appear to include unexpected inputs in the CurrentFundraiser parameter. Look for behavioral anomalies that may indicate exploitation attempts, and implement network signatures that can detect such activities.

AppSecure Threat Intelligence Insight

This vulnerability represents a significant risk, showcasing the need for robust input validation in web applications. Security teams should leverage this insight to strengthen their defenses against SQL injection attacks. For further reading on security best practices, organizations can refer to our comprehensive penetration testing methodology and related articles on application security.