CVE-2025-66396
📋 TL;DR
This SQL injection vulnerability in ChurchCRM allows malicious or compromised administrator accounts to execute arbitrary SQL commands. Attackers can directly manipulate the database to exfiltrate, modify, or delete all data including user credentials and financial records. Only ChurchCRM instances with administrator accounts are affected.
💻 Affected Systems
- ChurchCRM
📦 What is this software?
Churchcrm by Churchcrm
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, credential harvesting, financial fraud, potential file write to server, and further system compromise via database privileges.
Likely Case
Data exfiltration and manipulation by compromised admin accounts, potentially affecting all user data and system integrity.
If Mitigated
Limited impact if proper access controls, database permissions, and monitoring are in place to detect suspicious admin activity.
🎯 Exploit Status
Exploitation requires admin credentials but SQL injection is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5.3
Vendor Advisory: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-whpp-wx64-4qp9
Restart Required: No
Instructions:
1. Backup your ChurchCRM database and files. 2. Download ChurchCRM version 6.5.3 or later from the official repository. 3. Replace the existing installation with the patched version. 4. Verify the patch by checking that src/UserEditor.php properly sanitizes the type parameter keys.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to ensure type parameter keys are numeric before processing
Modify src/UserEditor.php to validate that array keys are numeric using is_numeric() or filter_var() with FILTER_VALIDATE_INT
🧯 If You Can't Patch
- Implement strict database user permissions to limit admin account database privileges
- Enable detailed logging of all admin actions and database queries for anomaly detection
🔍 How to Verify
Check if Vulnerable:
Check if ChurchCRM version is below 6.5.3 by examining the version file or admin interfaceCheck Version:
Check the version.txt file or login to admin panel and view system informationVerify Fix Applied:
Verify that src/UserEditor.php in version 6.5.3 properly sanitizes the type parameter keys before SQL query construction📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries from admin accounts
- Multiple configuration save attempts with non-standard parameters
- Database errors containing SQL syntax
Network Indicators:
- POST requests to user configuration endpoints with malformed type parameters
SIEM Query:
source="web_logs" AND uri="/UserEditor.php" AND method="POST" AND (param="type" AND value CONTAINS "'" OR value CONTAINS ";" OR value CONTAINS "--")