CVE-2025-68111
📋 TL;DR
ChurchCRM versions before 6.5.3 contain a SQL injection vulnerability in the eGive.php file's ReImport functionality. Authenticated users with finance privileges can execute arbitrary SQL queries by manipulating the MissingEgive_FamID_... POST parameter, potentially leading to unauthorized database access, modification, or deletion. This affects all ChurchCRM deployments using vulnerable versions.
💻 Affected Systems
- ChurchCRM
📦 What is this software?
Churchcrm by Churchcrm
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, modification, or deletion of sensitive church member information, financial records, and system configuration.
Likely Case
Unauthorized access to sensitive financial and member data by malicious insiders or compromised finance accounts.
If Mitigated
Limited impact with proper access controls, database permissions, and monitoring in place.
🎯 Exploit Status
Exploitation requires authenticated access with finance privileges. SQL injection is a well-understood attack vector.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5.3
Vendor Advisory: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-c4vm-87vf-hmx9
Restart Required: No
Instructions:
1. Backup your ChurchCRM database and files. 2. Download ChurchCRM version 6.5.3 or later from the official repository. 3. Replace the vulnerable eGive.php file with the patched version. 4. Verify the patch is applied by checking the file version.
🔧 Temporary Workarounds
Disable eGive.php ReImport functionality
linuxTemporarily disable the vulnerable ReImport feature by modifying or removing access to the eGive.php file.
mv /path/to/ChurchCRM/eGive.php /path/to/ChurchCRM/eGive.php.disabled
Restrict finance privilege access
allReduce the number of users with finance privileges to only essential personnel.
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for the MissingEgive_FamID_... parameter
- Deploy a web application firewall (WAF) with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check if your ChurchCRM version is below 6.5.3 by examining the version file or admin interface.Check Version:
grep -r 'version' /path/to/ChurchCRM/Include/Config.php | grep -i 'churchcrm'Verify Fix Applied:
Verify the eGive.php file has been updated to version 6.5.3 or later and test the ReImport functionality with SQL injection test payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by finance privilege access
- Suspicious POST requests to eGive.php with SQL-like patterns in parameters
Network Indicators:
- Unusual database connection patterns from web server
- Large data transfers from database to unexpected sources
SIEM Query:
source="web_logs" AND uri="/eGive.php" AND (param="MissingEgive_FamID_" AND value MATCHES "[';]|UNION|SELECT|INSERT|UPDATE|DELETE|DROP")