Login Sign Up

CVE-2024-25891

7.5 HIGH
SQL Injection

📋 TL;DR

ChurchCRM 5.5.0 contains a blind SQL injection vulnerability in FRBidSheets.php via the CurrentFundraiser GET parameter. This allows attackers to execute arbitrary SQL queries and potentially extract sensitive database information. All ChurchCRM 5.5.0 installations with the fundraising module enabled are affected.

💻 Affected Systems

Products:
  • ChurchCRM
Versions: 5.5.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the fundraising module to be enabled and accessible.

📦 What is this software?

Churchcrm by Churchcrm

View all CVEs affecting Churchcrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including user credentials, financial data, personal information, and potential remote code execution via database functions.

🟠

Likely Case

Extraction of sensitive user data, authentication bypass, and database manipulation.

🟢

If Mitigated

Limited information disclosure if proper input validation and WAF rules are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Time-based blind SQL injection requires automated tools but is well-documented in security toolkits.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.5.1 or later

Vendor Advisory: https://github.com/ChurchCRM/CRM/issues/6856

Restart Required: No

Instructions:

1. Backup your ChurchCRM installation and database. 2. Download the latest version from the official repository. 3. Replace the vulnerable FRBidSheets.php file. 4. Verify the fix by testing the CurrentFundraiser parameter.

🔧 Temporary Workarounds

Input Validation Filter

all

Add parameter validation to only accept numeric values for CurrentFundraiser parameter

Modify FRBidSheets.php to validate CurrentFundraiser parameter with is_numeric() or similar function

WAF Rule

all

Block SQL injection patterns in web application firewall

Add WAF rule to detect and block SQL injection attempts on CurrentFundraiser parameter

🧯 If You Can't Patch

  • Disable the fundraising module if not required
  • Implement network segmentation and restrict access to ChurchCRM to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Test the CurrentFundraiser parameter with time-based SQL injection payloads (e.g., SLEEP(5)) and observe response delays

Check Version:

Check ChurchCRM version in admin panel or via version.php file

Verify Fix Applied:

Test the CurrentFundraiser parameter with SQL injection payloads and verify they are rejected or sanitized

📡 Detection & Monitoring

Log Indicators:

  • Unusual long-running database queries
  • Multiple requests with SQL keywords in CurrentFundraiser parameter
  • Error logs showing SQL syntax errors

Network Indicators:

  • HTTP requests containing SQL keywords like SLEEP, WAITFOR, BENCHMARK in CurrentFundraiser parameter
  • Unusual timing patterns in HTTP responses

SIEM Query:

http.uri_query contains "CurrentFundraiser" AND (http.uri_query contains "SLEEP" OR http.uri_query contains "WAITFOR" OR http.uri_query contains "BENCHMARK")

📊 Metadata

CVE ID: CVE-2024-25891
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-89
Published: February 21, 2024
Last Updated: March 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-25891, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)