CVE-2025-1023 – A critical SQL injection vulnerability in Churc... (How to Fix)

Q: What is the severity of CVE-2025-1023?

CVE-2025-1023 has a CVSS score of 9.8 (CRITICAL). A critical SQL injection vulnerability in ChurchCRM versions 5.13.0 and earlier allows attackers to execute arbitrary database queries through the EditEventTypes functionality. Attackers can manipulate the newCountName parameter to exfiltrate, modify, or delete sensitive data. All ChurchCRM deployments running affected versions are vulnerable.

📋 TL;DR

A critical SQL injection vulnerability in ChurchCRM versions 5.13.0 and earlier allows attackers to execute arbitrary database queries through the EditEventTypes functionality. Attackers can manipulate the newCountName parameter to exfiltrate, modify, or delete sensitive data. All ChurchCRM deployments running affected versions are vulnerable.

💻 Affected Systems

Products:

ChurchCRM

Versions: 5.13.0 and prior

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with EditEventTypes functionality accessible are vulnerable. No special configuration required.

📦 What is this software?

Churchcrm by Churchcrm

View all CVEs affecting Churchcrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including exfiltration of all user data, administrative credentials, financial records, and potential remote code execution through database functions.

🟠

Likely Case

Data exfiltration of sensitive information (user credentials, personal data, financial records) and potential database manipulation or destruction.

🟢

If Mitigated

Limited impact if proper network segmentation, database permissions, and input validation are in place, though SQL injection remains dangerous.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

SQL injection is well-understood with many automated tools available. Requires authentication to access EditEventTypes functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.13.1 or later

Vendor Advisory: https://github.com/ChurchCRM/CRM/issues/7246

Restart Required: No

Instructions:

1. Backup your ChurchCRM database and files. 2. Download the latest version from the official ChurchCRM repository. 3. Replace the vulnerable files with patched versions. 4. Verify the fix by testing the EditEventTypes functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the newCountName parameter before processing

Modify the EditEventTypes.php file to add parameterized queries or input validation

Access Restriction

all

Temporarily disable or restrict access to EditEventTypes functionality

Add authentication checks or IP restrictions to the EditEventTypes endpoint

🧯 If You Can't Patch

Implement a web application firewall (WAF) with SQL injection rules
Restrict database user permissions to minimum required privileges

🔍 How to Verify

Check if Vulnerable:

Check if ChurchCRM version is 5.13.0 or earlier and if EditEventTypes functionality exists

Check Version:

Check the ChurchCRM admin panel or view the version.php file

Verify Fix Applied:

Test the EditEventTypes functionality with SQL injection payloads to confirm they are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual database queries from web application
Multiple failed SQL injection attempts
Unexpected database errors in logs

Network Indicators:

HTTP requests with SQL keywords in parameters
Unusual traffic patterns to EditEventTypes endpoint

SIEM Query:

web.url:*EditEventTypes* AND (web.param:*SELECT* OR web.param:*UNION* OR web.param:*OR 1=1*)

📊 Metadata

CVE ID: CVE-2025-1023

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

EPSS Score: 0.93% exploit probability (75.6th percentile)

Published: February 18, 2025

Last Updated: February 21, 2025

🔗 References

https://github.com/ChurchCRM/CRM/issues/7246 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1023, you might also want to check these: