CVE-2025-1132
📋 TL;DR
A time-based blind SQL injection vulnerability in ChurchCRM versions 5.13.0 and earlier allows authenticated administrators to execute arbitrary SQL commands via the EN_tyid parameter in EditEventAttendees.php. This can enable attackers to extract sensitive database information through timing-based inference attacks. Only systems running vulnerable ChurchCRM versions with administrator accounts are affected.
💻 Affected Systems
- ChurchCRM
📦 What is this software?
Churchcrm by Churchcrm
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including extraction of sensitive user data, authentication credentials, and potential privilege escalation to full system control.
Likely Case
Information disclosure from the database including user details, event attendance records, and potentially hashed passwords.
If Mitigated
Limited impact due to administrator-only access requirement and time-based nature making exploitation slow and detectable.
🎯 Exploit Status
Exploitation requires administrator credentials and involves time-based blind SQL injection techniques which are slower and more complex than traditional SQLi.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ChurchCRM version after 5.13.0
Vendor Advisory: https://github.com/ChurchCRM/CRM/issues/7251
Restart Required: No
Instructions:
1. Backup your ChurchCRM database and files. 2. Update to the latest ChurchCRM version. 3. Verify the patch by checking that parameter sanitization is implemented in EditEventAttendees.php.
🔧 Temporary Workarounds
Input Validation Workaround
allAdd server-side validation to ensure EN_tyid parameter contains only expected values
Modify EditEventAttendees.php to validate EN_tyid parameter using prepared statements or whitelist validation
Access Restriction
allTemporarily restrict access to the vulnerable endpoint
Add authentication middleware or IP restrictions to EditEventAttendees.php access
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for all SQL operations
- Enforce strong authentication controls and monitor administrator account activity
🔍 How to Verify
Check if Vulnerable:
Check if ChurchCRM version is 5.13.0 or earlier and examine EditEventAttendees.php for unsanitized EN_tyid parameter usage in SQL queries.Check Version:
Check ChurchCRM version in admin panel or examine version files in installation directoryVerify Fix Applied:
Verify that ChurchCRM version is newer than 5.13.0 and that EditEventAttendees.php uses parameterized queries or proper input sanitization for EN_tyid parameter.📡 Detection & Monitoring
Log Indicators:
- Unusual long-running SQL queries from EditEventAttendees.php
- Multiple failed login attempts followed by administrator access to vulnerable endpoint
- Suspicious timing patterns in request/response cycles
Network Indicators:
- Repeated requests to EditEventAttendees.php with varying EN_tyid parameters
- Unusually long response times from specific endpoint requests
SIEM Query:
source="web_logs" AND uri="/EditEventAttendees.php" AND (response_time>5000 OR parameter="EN_tyid" AND value MATCHES "[^0-9]")