Login Sign Up

CVE-2024-25893

9.1 CRITICAL
SQL Injection

📋 TL;DR

ChurchCRM 5.5.0 contains a blind SQL injection vulnerability in FRCertificates.php via the CurrentFundraiser GET parameter. This allows attackers to execute arbitrary SQL queries and potentially extract sensitive database information. All users running the vulnerable version are affected.

💻 Affected Systems

Products:
  • ChurchCRM
Versions: 5.5.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the FRCertificates.php endpoint to be accessible, which is part of the fundraising module.

📦 What is this software?

Churchcrm by Churchcrm

View all CVEs affecting Churchcrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including extraction of user credentials, personal data, financial records, and potential remote code execution through database functions.

🟠

Likely Case

Data exfiltration of sensitive information from the database including user data, financial records, and system configuration.

🟢

If Mitigated

Limited information disclosure if database permissions are properly restricted and input validation is implemented elsewhere.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Time-based blind SQL injection requires no authentication and can be automated with tools like sqlmap.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.5.1 or later

Vendor Advisory: https://github.com/ChurchCRM/CRM/issues/6856

Restart Required: No

Instructions:

1. Backup your ChurchCRM installation and database. 2. Download the latest version from the official repository. 3. Replace the vulnerable files with patched versions. 4. Verify the fix by testing the vulnerable endpoint.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Implement WAF rules to block SQL injection patterns targeting the CurrentFundraiser parameter.

Input Validation Filter

all

Add server-side validation to sanitize the CurrentFundraiser parameter before processing.

🧯 If You Can't Patch

  • Restrict access to the FRCertificates.php endpoint using IP whitelisting or authentication requirements.
  • Implement database-level controls to limit query execution permissions for the application user.

🔍 How to Verify

Check if Vulnerable:

Test the FRCertificates.php endpoint with time-based SQL injection payloads in the CurrentFundraiser parameter.

Check Version:

Check the ChurchCRM version in the admin panel or review the software version files.

Verify Fix Applied:

Attempt the same SQL injection tests after patching; successful queries should no longer cause time delays.

📡 Detection & Monitoring

Log Indicators:

  • Unusual long-duration requests to FRCertificates.php
  • SQL error messages in application logs
  • Multiple requests with SQL-like patterns in parameters

Network Indicators:

  • HTTP requests with SQL injection patterns in GET parameters
  • Unusual timing patterns in requests to the vulnerable endpoint

SIEM Query:

source="web_logs" AND uri="/FRCertificates.php" AND (param="CurrentFundraiser" AND value MATCHES "(?i)(sleep|benchmark|waitfor)")

📊 Metadata

CVE ID: CVE-2024-25893
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-89
Published: February 21, 2024
Last Updated: March 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-25893, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)