CVE-2025-67877
📋 TL;DR
CVE-2025-67877 is a SQL injection vulnerability in ChurchCRM versions before 6.5.3 that allows attackers to execute arbitrary SQL commands through the PersonAddress parameter. This affects all ChurchCRM installations using vulnerable versions, potentially compromising database integrity and confidentiality. The vulnerability exists because the PersonAddress parameter lacks proper input validation unlike other parameters in the same file.
💻 Affected Systems
- ChurchCRM
📦 What is this software?
Churchcrm by Churchcrm
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution through database functions.
Likely Case
Unauthorized data access, data modification, and potential authentication bypass leading to administrative access.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing SQL injection.
🎯 Exploit Status
Exploitation requires access to the vulnerable endpoint, but SQL injection techniques are well-documented and easy to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5.3
Vendor Advisory: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-h3vq-9gr6-h9r4
Restart Required: Yes
Instructions:
1. Backup your ChurchCRM database and files. 2. Download ChurchCRM version 6.5.3 or later from the official repository. 3. Replace the existing installation with the new version. 4. Restart the web server service. 5. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation for PersonAddress parameter to filter SQL injection attempts
Modify src/CartToFamily.php to add InputUtils::LegacyFilterInput($_POST['PersonAddress'], 'int') before using the parameter
Web Application Firewall
allDeploy WAF rules to block SQL injection patterns targeting PersonAddress parameter
🧯 If You Can't Patch
- Implement strict input validation for all POST parameters in the application
- Deploy network segmentation and restrict access to ChurchCRM to trusted users only
🔍 How to Verify
Check if Vulnerable:
Check if ChurchCRM version is below 6.5.3 by viewing the version in the admin interface or checking the software files.Check Version:
Check the version displayed in the ChurchCRM admin dashboard or examine the software version files.Verify Fix Applied:
Verify the installation is running version 6.5.3 or later and check that src/CartToFamily.php properly validates the PersonAddress parameter.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by PersonAddress parameter manipulation
- Unexpected database errors in application logs
Network Indicators:
- HTTP POST requests to CartToFamily.php with suspicious PersonAddress parameter values
- SQL injection patterns in HTTP traffic
SIEM Query:
source="web_logs" AND uri="*CartToFamily.php*" AND (PersonAddress="*' OR *" OR PersonAddress="*;*" OR PersonAddress="*--*" OR PersonAddress="*UNION*" OR PersonAddress="*SELECT*" OR PersonAddress="*INSERT*" OR PersonAddress="*UPDATE*" OR PersonAddress="*DELETE*")