CVE-2025-68112
📋 TL;DR
ChurchCRM versions before 6.5.3 contain a SQL injection vulnerability in the Event Attendee Editor that allows authenticated users to execute arbitrary SQL commands. This can lead to complete database compromise, theft of administrative credentials, and potential system takeover. All ChurchCRM installations using vulnerable versions are affected.
💻 Affected Systems
- ChurchCRM
📦 What is this software?
Churchcrm by Churchcrm
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to theft of all sensitive member data, authentication credentials, financial information, and potential system takeover with remote code execution.
Likely Case
Data exfiltration of sensitive member information, credential theft leading to administrative account compromise, and potential financial data exposure.
If Mitigated
Limited impact if proper network segmentation, database permissions, and monitoring are in place, though data exposure risk remains.
🎯 Exploit Status
SQL injection vulnerabilities are commonly weaponized, and this requires only authenticated access (not necessarily admin).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5.3
Vendor Advisory: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hxf4-3vhp-wqcq
Restart Required: Yes
Instructions:
1. Backup your ChurchCRM database and files. 2. Download ChurchCRM version 6.5.3 from the official repository. 3. Replace existing installation files with the new version. 4. Restart the web server service. 5. Verify the application loads correctly.
🔧 Temporary Workarounds
Restrict Database User Permissions
allLimit the database user account to only necessary permissions (SELECT, INSERT, UPDATE on specific tables) to reduce impact of successful exploitation.
-- Database-specific commands vary by DBMS
-- Example for MySQL: REVOKE ALL PRIVILEGES ON churchcrm.* FROM 'appuser'@'localhost';
-- Then grant only necessary permissions
Web Application Firewall (WAF)
allDeploy a WAF with SQL injection protection rules to block exploitation attempts.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ChurchCRM from other critical systems
- Enable detailed SQL query logging and monitor for suspicious database activity patterns
🔍 How to Verify
Check if Vulnerable:
Check ChurchCRM version in the application interface or by examining the source code files for version markers.Check Version:
Check the ChurchCRM dashboard or examine the /Include/Config.php file for version informationVerify Fix Applied:
Verify the application version shows 6.5.3 or higher in the interface, and test the Event Attendee Editor functionality for proper input validation.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns in database logs
- Multiple failed login attempts followed by successful authentication and SQL injection patterns
- Unexpected database schema queries or information_schema access
Network Indicators:
- HTTP POST requests to Event Attendee Editor endpoints containing SQL syntax in parameters
SIEM Query:
source="web_server_logs" AND (uri_path="*EventAttendee*" OR uri_path="*event*attendee*") AND (query_string="*UNION*" OR query_string="*SELECT*" OR query_string="*INSERT*" OR query_string="*DELETE*")