CVE-2025-1133
📋 TL;DR
This vulnerability allows authenticated administrators in ChurchCRM versions 5.13.0 and earlier to execute arbitrary SQL queries through boolean-based blind SQL injection in the EditEventAttendees functionality. Attackers with admin privileges can manipulate the EID parameter to exfiltrate, modify, or delete database data. Only ChurchCRM installations with administrator accounts are affected.
💻 Affected Systems
- ChurchCRM
📦 What is this software?
Churchcrm by Churchcrm
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including exfiltration of sensitive user data, modification/deletion of all database records, and potential privilege escalation to system-level access.
Likely Case
Data exfiltration of user information, event attendance records, and potentially authentication credentials stored in the database.
If Mitigated
Limited impact due to requirement for administrator credentials and proper network segmentation limiting database access.
🎯 Exploit Status
Exploitation requires administrator credentials and knowledge of SQL injection techniques. The blind nature adds complexity but is still exploitable by skilled attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ChurchCRM 5.13.1 or later
Vendor Advisory: https://github.com/ChurchCRM/CRM/issues/7252
Restart Required: No
Instructions:
1. Backup your ChurchCRM database and files. 2. Download the latest version from the official ChurchCRM repository. 3. Replace the affected files with patched versions. 4. Verify the fix by testing the EditEventAttendees functionality.
🔧 Temporary Workarounds
Input Validation Workaround
allAdd input validation to sanitize the EID parameter before processing
Modify the EditEventAttendees function to validate EID parameter as integer using is_numeric() or similar validation
Access Restriction
allTemporarily disable EditEventAttendees functionality or restrict access to trusted administrators only
Add authentication checks or disable the affected endpoint in your web server configuration
🧯 If You Can't Patch
- Implement strict input validation for all EID parameters using prepared statements or parameterized queries
- Apply network segmentation to isolate the ChurchCRM database from other systems and implement strict firewall rules
🔍 How to Verify
Check if Vulnerable:
Test the EditEventAttendees functionality with SQL injection payloads in the EID parameter while authenticated as administratorCheck Version:
Check the ChurchCRM version in the admin panel or review the version.php fileVerify Fix Applied:
Attempt SQL injection attacks against the patched EditEventAttendees functionality to confirm they are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by EditEventAttendees access
- Unusual patterns in EID parameter values in web server logs
Network Indicators:
- Unusual database connection patterns from the ChurchCRM application server
- Large volume of requests to EditEventAttendees endpoint with varying EID parameters
SIEM Query:
source="web_server" AND uri="/EditEventAttendees" AND (param="EID" AND value MATCHES "[';]|UNION|SELECT|FROM|WHERE")