CVE-2025-1135
📋 TL;DR
This SQL injection vulnerability in ChurchCRM allows attackers with administrator privileges to execute arbitrary SQL queries through the BatchWinnerEntry functionality. The vulnerability affects ChurchCRM versions 5.13.0 and earlier, potentially enabling data theft, modification, or deletion.
💻 Affected Systems
- ChurchCRM
📦 What is this software?
Churchcrm by Churchcrm
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including exfiltration of sensitive data, modification or deletion of all database records, and potential privilege escalation to system-level access.
Likely Case
Data exfiltration of sensitive church member information, financial records, and donor data, along with potential data manipulation affecting church operations.
If Mitigated
Limited impact due to administrator-only access requirement and proper input validation/sanitization controls.
🎯 Exploit Status
Exploitation requires administrator credentials and knowledge of SQL injection techniques. Both boolean-based and time-based blind SQL injection methods are possible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ChurchCRM version after 5.13.0
Vendor Advisory: https://github.com/ChurchCRM/CRM/issues/7254
Restart Required: No
Instructions:
1. Upgrade ChurchCRM to version after 5.13.0. 2. Apply the patch that addresses SQL injection in BatchWinnerEntry functionality. 3. Verify the CurrentFundraiser parameter is properly sanitized.
🔧 Temporary Workarounds
Disable BatchWinnerEntry functionality
allTemporarily disable or restrict access to the vulnerable BatchWinnerEntry feature until patching is complete.
Implement WAF rules
allAdd web application firewall rules to block SQL injection patterns targeting the CurrentFundraiser parameter.
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for the CurrentFundraiser parameter
- Restrict administrator account access and implement multi-factor authentication
🔍 How to Verify
Check if Vulnerable:
Check ChurchCRM version in system settings or admin panel. If version is 5.13.0 or earlier, system is vulnerable.Check Version:
Check ChurchCRM admin dashboard or system information page for version number.Verify Fix Applied:
Verify ChurchCRM version is after 5.13.0 and test BatchWinnerEntry functionality with SQL injection test payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by BatchWinnerEntry access
- Unusual administrator account activity patterns
Network Indicators:
- SQL injection patterns in HTTP requests to BatchWinnerEntry endpoints
- Unusual database query volumes from web application
SIEM Query:
source="web_logs" AND (uri="*BatchWinnerEntry*" AND (param="*CurrentFundraiser*" AND value="*' OR *"))