Login Sign Up

CVE-2025-11939

4.7 MEDIUM
Path Traversal

📋 TL;DR

This vulnerability in ChurchCRM allows attackers to perform path traversal attacks via the restoreFile parameter in the backup restore functionality. Remote attackers can potentially access or manipulate files outside the intended directory. All ChurchCRM installations up to version 5.18.0 are affected.

💻 Affected Systems

Products:
  • ChurchCRM
Versions: Up to and including 5.18.0
Operating Systems: All platforms running ChurchCRM
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable; requires backup restore functionality to be accessible

📦 What is this software?

Churchcrm by Churchcrm

View all CVEs affecting Churchcrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution or sensitive file disclosure by accessing system files outside the web root

🟠

Likely Case

Unauthorized file read/write operations leading to data exposure or system compromise

🟢

If Mitigated

Limited impact if proper file permissions and input validation are in place

🌐 Internet-Facing: HIGH - Attack can be launched remotely without authentication
🏢 Internal Only: MEDIUM - Still exploitable by internal users or compromised accounts

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit details available in GitHub advisory; vendor did not respond to disclosure

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown - vendor unresponsive

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to any version above 5.18.0 if released, or implement workarounds.

🔧 Temporary Workarounds

Disable Backup Restore Functionality

all

Remove or restrict access to the vulnerable restore handler

# Remove or rename src/ChurchCRM/Backup/RestoreJob.php
# Add authentication/authorization checks to restore functionality

Implement Input Validation

all

Add path traversal checks to restoreFile parameter processing

# In RestoreJob.php, validate restoreFile parameter with realpath() and check if within allowed directory
# Example: if (strpos(realpath($restoreFile), '/allowed/path/') !== 0) { die('Invalid file'); }

🧯 If You Can't Patch

  • Implement strict file system permissions to limit damage
  • Use web application firewall (WAF) rules to block path traversal patterns

🔍 How to Verify

Check if Vulnerable:

Check ChurchCRM version; if ≤5.18.0 and backup restore functionality is accessible, system is vulnerable

Check Version:

Check ChurchCRM admin interface or examine version files in installation directory

Verify Fix Applied:

Test path traversal attempts via restoreFile parameter; successful blocks indicate mitigation

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns in web server logs
  • Requests to RestoreJob.php with suspicious file paths

Network Indicators:

  • HTTP requests containing '../' or similar path traversal sequences

SIEM Query:

web.url:*RestoreJob.php* AND (web.url:*../* OR web.url:*..\*)

📊 Metadata

CVE ID: CVE-2025-11939
CVSS v3 Score: 4.7 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-22
EPSS Score: 0.24% exploit probability (47.2th percentile)
Published: October 19, 2025
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11939, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)