CVE-2025-1134
📋 TL;DR
This SQL injection vulnerability in ChurchCRM allows attackers with administrator privileges to execute arbitrary SQL queries through the DonatedItemEditor functionality. It affects ChurchCRM versions 5.13.0 and earlier, potentially enabling data theft, modification, or deletion.
💻 Affected Systems
- ChurchCRM
📦 What is this software?
Churchcrm by Churchcrm
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including exfiltration of sensitive data, modification or deletion of all database records, and potential privilege escalation to system-level access.
Likely Case
Unauthorized access to and manipulation of donation records, user data, and other sensitive information stored in the ChurchCRM database.
If Mitigated
Limited impact due to proper access controls and monitoring, with potential detection of unauthorized SQL query attempts.
🎯 Exploit Status
Exploitation requires administrator credentials and knowledge of SQL injection techniques. Both boolean-based and time-based blind SQL injection methods are possible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ChurchCRM 5.13.1 or later
Vendor Advisory: https://github.com/ChurchCRM/CRM/issues/7253
Restart Required: No
Instructions:
1. Backup your ChurchCRM database and application files. 2. Download the latest version from the official ChurchCRM repository. 3. Replace the vulnerable files with patched versions. 4. Verify the fix by testing the DonatedItemEditor functionality.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement strict input validation for the CurrentFundraiser parameter to only accept expected data types and formats.
Web Application Firewall Rules
allDeploy WAF rules to block SQL injection patterns targeting the DonatedItemEditor endpoint.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ChurchCRM from sensitive systems and databases.
- Enforce principle of least privilege for administrator accounts and implement multi-factor authentication.
🔍 How to Verify
Check if Vulnerable:
Check if your ChurchCRM version is 5.13.0 or earlier by reviewing the version information in the application interface or configuration files.Check Version:
Check the ChurchCRM admin dashboard or review the application's version.php/config.php files for version information.Verify Fix Applied:
After patching, verify the version shows 5.13.1 or later and test the DonatedItemEditor functionality with SQL injection test payloads to confirm they are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns in database logs
- Multiple failed login attempts followed by administrator account access
- Unusual administrator activity during off-hours
Network Indicators:
- HTTP requests to DonatedItemEditor with SQL injection payloads
- Unusual database connection patterns from the ChurchCRM application server
SIEM Query:
source="web_server_logs" AND (uri="*DonatedItemEditor*" AND (query="*SELECT*" OR query="*UNION*" OR query="*SLEEP*" OR query="*WAITFOR*"))