Login Sign Up

CVE-2025-66313

7.2 HIGH
SQL Injection

📋 TL;DR

ChurchCRM versions 6.2.0 and earlier contain a time-based blind SQL injection vulnerability in the 1FieldSec parameter handling. This allows attackers to extract sensitive database information or modify data through blind injection techniques. All ChurchCRM installations running vulnerable versions are affected.

💻 Affected Systems

Products:
  • ChurchCRM
Versions: 6.2.0 and earlier
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All installations running affected versions are vulnerable regardless of configuration.

📦 What is this software?

Churchcrm by Churchcrm

View all CVEs affecting Churchcrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including exfiltration of sensitive personal data (member information, financial records, credentials) and potential system takeover.

🟠

Likely Case

Data exfiltration of church member information, financial records, and user credentials through blind SQL injection techniques.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Time-based blind SQL injection requires specialized tools but is well-documented and automated tools exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit 719a6bc73245c40e3c30dae6229daaecd451e59f

Vendor Advisory: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-47q3-c874-mqvp

Restart Required: Yes

Instructions:

1. Backup your ChurchCRM database and files. 2. Update to the latest ChurchCRM version. 3. Apply the specific commit 719a6bc73245c40e3c30dae6229daaecd451e59f if not updating fully. 4. Restart the web server.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for the 1FieldSec parameter to reject SQL injection patterns

Web Application Firewall

all

Deploy WAF with SQL injection protection rules to block exploitation attempts

🧯 If You Can't Patch

  • Implement network segmentation to isolate ChurchCRM from sensitive systems
  • Deploy database activity monitoring to detect SQL injection attempts

🔍 How to Verify

Check if Vulnerable:

Check ChurchCRM version in admin panel or via version.php file. If version is 6.2.0 or earlier, system is vulnerable.

Check Version:

Check /path/to/churchcrm/version.php or admin panel version display

Verify Fix Applied:

Verify ChurchCRM version is updated beyond 6.2.0 and confirm commit 719a6bc73245c40e3c30dae6229daaecd451e59f is applied.

📡 Detection & Monitoring

Log Indicators:

  • Unusual database query patterns
  • Multiple requests with SLEEP() or similar SQL functions in parameters
  • Long response times from specific endpoints

Network Indicators:

  • Repeated requests to endpoints with SQL injection payloads in 1FieldSec parameter
  • Unusual traffic patterns to ChurchCRM database ports

SIEM Query:

source="web_logs" AND uri="*1FieldSec*" AND (payload="*SLEEP*" OR payload="*WAITFOR*" OR payload="*BENCHMARK*")

📊 Metadata

CVE ID: CVE-2025-66313
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
EPSS Score: 0.04% exploit probability (12.8th percentile)
Published: December 1, 2025
Last Updated: December 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66313, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)