CVE-2022-31325 – This SQL injection vulnerability in ChurchCRM 4... (How to Fix)

Q: What is the severity of CVE-2022-31325?

CVE-2022-31325 has a CVSS score of 7.2 (HIGH). This SQL injection vulnerability in ChurchCRM 4.4.5 allows attackers to execute arbitrary SQL commands via the PersonID parameter in WhyCameEditor.php. This affects all ChurchCRM 4.4.5 installations with the vulnerable endpoint accessible. Attackers could potentially read, modify, or delete database contents.

📋 TL;DR

This SQL injection vulnerability in ChurchCRM 4.4.5 allows attackers to execute arbitrary SQL commands via the PersonID parameter in WhyCameEditor.php. This affects all ChurchCRM 4.4.5 installations with the vulnerable endpoint accessible. Attackers could potentially read, modify, or delete database contents.

💻 Affected Systems

Products:

ChurchCRM

Versions: 4.4.5

Operating Systems: All platforms running ChurchCRM

Default Config Vulnerable: ⚠️ Yes

Notes: All ChurchCRM 4.4.5 installations with WhyCameEditor.php accessible are vulnerable.

📦 What is this software?

Churchcrm by Churchcrm

View all CVEs affecting Churchcrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including sensitive personal data exposure, authentication bypass, and potential remote code execution if database functions allow it.

🟠

Likely Case

Unauthorized data access and extraction of sensitive church member information, donation records, and personal details.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is web-accessible and SQL injection is a common attack vector.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this to escalate privileges or access sensitive data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authentication to access WhyCameEditor.php, but SQL injection payloads are publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.6 or later

Vendor Advisory: https://github.com/ChurchCRM/CRM/issues/6005

Restart Required: No

Instructions:

1. Backup your ChurchCRM database and files. 2. Download ChurchCRM 4.4.6 or later from the official repository. 3. Replace the vulnerable WhyCameEditor.php file with the patched version. 4. Verify the fix by testing the PersonID parameter.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to ensure PersonID only accepts numeric values

Modify WhyCameEditor.php to include: if(!is_numeric($_GET['PersonID'])) { die('Invalid input'); }

WAF Rule

all

Implement web application firewall rules to block SQL injection patterns

Add WAF rule: SecRule ARGS:PersonID "@rx (\'|\"|--|#|;|union|select|insert|update|delete|drop|create|alter)" "id:1001,phase:2,deny"

🧯 If You Can't Patch

Restrict access to WhyCameEditor.php using IP whitelisting or authentication requirements
Implement database user with minimal privileges (read-only if possible) for the application

🔍 How to Verify

Check if Vulnerable:

Test the PersonID parameter with SQL injection payloads like: PersonID=1' OR '1'='1

Check Version:

Check ChurchCRM version in admin panel or review version.php file

Verify Fix Applied:

Test the same SQL injection payloads after patching - they should be rejected or properly handled

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple failed PersonID parameter attempts with special characters

Network Indicators:

HTTP requests to WhyCameEditor.php with SQL keywords in parameters

SIEM Query:

source="web_logs" AND uri="/churchcrm/WhyCameEditor.php" AND (query="*union*" OR query="*select*" OR query="*' OR '*" OR query="*;*" OR query="*--*")

📊 Metadata

CVE ID: CVE-2022-31325

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: June 8, 2022

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/167483/ChurchCRM-4.4.5-SQL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://github.com/ChurchCRM/CRM/issues/6005 Issue Tracking,Third Party Advisory
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-31325 Third Party Advisory
https://www.nu11secur1ty.com/2022/06/cve-2022-31325.htm Broken Link
http://packetstormsecurity.com/files/167483/ChurchCRM-4.4.5-SQL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://github.com/ChurchCRM/CRM/issues/6005 Issue Tracking,Third Party Advisory
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-31325 Third Party Advisory
https://www.nu11secur1ty.com/2022/06/cve-2022-31325.htm Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31325, you might also want to check these: