CVE-2025-68400
📋 TL;DR
A SQL injection vulnerability in ChurchCRM allows authenticated users with any permission level to execute arbitrary SQL commands through the familyId parameter in the legacy ConfirmReportEmail.php endpoint. This affects all ChurchCRM installations prior to version 6.5.3, even though the vulnerable feature was removed from the user interface but remains accessible via direct URL.
💻 Affected Systems
- ChurchCRM
📦 What is this software?
Churchcrm by Churchcrm
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution if database functions allow it.
Likely Case
Unauthorized data access and extraction of sensitive church member information, financial records, and personal data stored in the database.
If Mitigated
Limited impact if proper network segmentation, database permissions, and input validation are in place, though SQL injection could still leak some data.
🎯 Exploit Status
SQL injection through familyId parameter is straightforward for attackers with basic SQL knowledge. Authentication required but any valid credentials work.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5.3
Vendor Advisory: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v54g-2pvg-gvp2
Restart Required: Yes
Instructions:
1. Backup your ChurchCRM database and files. 2. Download ChurchCRM version 6.5.3 or later from the official repository. 3. Replace the existing installation with the new version. 4. Restart the web server service.
🔧 Temporary Workarounds
Remove vulnerable file
linuxDelete or rename the vulnerable ConfirmReportEmail.php file to prevent access
rm /path/to/ChurchCRM/Reports/ConfirmReportEmail.php
mv /path/to/ChurchCRM/Reports/ConfirmReportEmail.php /path/to/ChurchCRM/Reports/ConfirmReportEmail.php.disabled
Web server access restriction
allBlock access to the vulnerable endpoint using web server configuration
# Apache: Add to .htaccess
<Files "ConfirmReportEmail.php">
Order allow,deny
Deny from all
</Files>
# Nginx: Add to server block
location ~ /Reports/ConfirmReportEmail\.php$ {
deny all;
return 403;
}
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the ChurchCRM web interface
- Deploy a web application firewall (WAF) with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check if file exists: ls -la /path/to/ChurchCRM/Reports/ConfirmReportEmail.php. If file exists and ChurchCRM version is below 6.5.3, system is vulnerable.Check Version:
Check ChurchCRM version in admin interface or grep for version in ChurchCRM filesVerify Fix Applied:
Verify ConfirmReportEmail.php file is removed or inaccessible, and ChurchCRM version is 6.5.3 or higher.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /Reports/ConfirmReportEmail.php with SQL injection patterns in parameters
- Database error logs showing unusual SQL syntax errors
Network Indicators:
- HTTP POST/GET requests to ConfirmReportEmail.php endpoint with suspicious parameter values
SIEM Query:
source="web_access_logs" AND uri_path="/Reports/ConfirmReportEmail.php" AND (param="familyId" AND value MATCHES "[';]|UNION|SELECT|INSERT|UPDATE|DELETE|DROP|CREATE")