CVE-2025-66395
📋 TL;DR
ChurchCRM versions before 6.5.3 contain a SQL injection vulnerability in the ListEvents.php file. Any authenticated user, regardless of privilege level, can execute arbitrary SQL commands to exfiltrate, modify, or delete database data including credentials, financial information, and personal data. This could lead to complete compromise of the application's database.
💻 Affected Systems
- ChurchCRM
📦 What is this software?
Churchcrm by Churchcrm
⚠️ Risk & Real-World Impact
Worst Case
Full database compromise allowing attackers to steal all sensitive data (credentials, financial records, personal information), modify or delete data, and potentially gain administrative access to the system.
Likely Case
Data exfiltration of sensitive church member information, financial records, and user credentials leading to privacy violations and potential credential reuse attacks.
If Mitigated
Limited impact if proper input validation and parameterized queries are implemented, restricting attackers to authorized data access only.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. SQL injection is a well-understood attack vector with many available tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5.3
Vendor Advisory: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-c9xf-f3gr-xfwv
Restart Required: No
Instructions:
1. Backup your ChurchCRM database and files. 2. Download ChurchCRM version 6.5.3 or later from the official repository. 3. Replace the existing installation with the new version. 4. Verify the ListEvents.php file has been updated with proper input sanitization.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to filter the WhichType parameter to only accept expected values
Modify src/ListEvents.php to validate WhichType parameter before use in SQL queries
WAF Rule
allImplement web application firewall rules to block SQL injection patterns
Add WAF rules to detect and block SQL injection attempts on POST parameters
🧯 If You Can't Patch
- Implement strict input validation for the WhichType parameter in ListEvents.php
- Apply network segmentation to isolate the ChurchCRM server and restrict database access
🔍 How to Verify
Check if Vulnerable:
Check if ChurchCRM version is below 6.5.3 by examining the version in the admin interface or checking the software filesCheck Version:
Check ChurchCRM admin dashboard or examine version files in the installation directoryVerify Fix Applied:
Verify installation of version 6.5.3 or later and check that the ListEvents.php file includes proper input sanitization for the WhichType parameter📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by ListEvents.php access
- Unexpected database operations from ChurchCRM application user
Network Indicators:
- SQL injection patterns in POST requests to ListEvents.php
- Unusual database connection patterns from the application server
SIEM Query:
source="web_logs" AND uri="/ListEvents.php" AND (post_param="WhichType" AND value MATCHES "[';]|UNION|SELECT|INSERT|UPDATE|DELETE|DROP")