CVE-2025-67751
📋 TL;DR
ChurchCRM versions before 6.5.0 contain a SQL injection vulnerability in the EventEditor.php file. Authenticated users with event management permissions can exploit this by injecting malicious SQL through the EN_tyid POST parameter when creating events. This affects all ChurchCRM installations running vulnerable versions.
💻 Affected Systems
- ChurchCRM
📦 What is this software?
Churchcrm by Churchcrm
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution if database functions allow it.
Likely Case
Unauthorized data access, modification of church records, and potential extraction of sensitive member information.
If Mitigated
Limited impact due to proper access controls and network segmentation, but still represents a security violation.
🎯 Exploit Status
Exploitation requires authenticated access with event management permissions. SQL injection is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5.0
Vendor Advisory: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-wxcc-gvfv-56fg
Restart Required: No
Instructions:
1. Backup your ChurchCRM database and files. 2. Download ChurchCRM version 6.5.0 or later from the official repository. 3. Replace the existing installation with the new version. 4. Verify the EventEditor.php file contains proper input sanitization.
🔧 Temporary Workarounds
Input Validation Web Application Firewall Rule
allImplement WAF rules to block SQL injection patterns in POST parameters
Temporary Permission Restriction
allRemove 'isAddEvent' permissions from non-essential users until patching
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ChurchCRM from sensitive systems
- Enable detailed SQL query logging and monitor for suspicious database activity
🔍 How to Verify
Check if Vulnerable:
Check ChurchCRM version in admin panel or examine EventEditor.php for lack of input sanitization on EN_tyid parameterCheck Version:
Check ChurchCRM admin dashboard or view /Include/Config.php for version informationVerify Fix Applied:
Verify ChurchCRM version is 6.5.0 or later and check EventEditor.php includes proper parameterized queries or input validation📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by event creation attempts
- SQL syntax errors in web server logs
Network Indicators:
- POST requests to EventEditor.php with suspicious EN_tyid parameter values
- Unusual database connection patterns
SIEM Query:
source="web_server" AND uri="*EventEditor.php*" AND (param="EN_tyid" AND value="*' OR *" OR value="*; *")