CVE-2026-24854
📋 TL;DR
A SQL injection vulnerability in ChurchCRM allows any authenticated user, even with zero permissions, to execute arbitrary SQL commands through the PaddleNumEditor.php endpoint. This could lead to data theft, modification, or deletion. All ChurchCRM instances prior to version 6.7.2 are affected.
💻 Affected Systems
- ChurchCRM
📦 What is this software?
Churchcrm by Churchcrm
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including exfiltration of sensitive personal/financial data, privilege escalation to admin, and potential remote code execution if database functions allow it.
Likely Case
Unauthorized data access and modification of church member records, financial data, and system configuration.
If Mitigated
Limited to authenticated user's data scope if proper input validation and parameterized queries are implemented.
🎯 Exploit Status
Exploitation requires authentication but no special permissions. SQL injection through PerID parameter is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.7.2
Vendor Advisory: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p3q7-q68q-h2gr
Restart Required: No
Instructions:
1. Backup your ChurchCRM database and files. 2. Download ChurchCRM version 6.7.2 or later from the official repository. 3. Replace the existing installation with the patched version. 4. Verify the PaddleNumEditor.php file contains proper parameterized queries.
🔧 Temporary Workarounds
Disable PaddleNumEditor.php endpoint
allTemporarily block access to the vulnerable endpoint
# For Apache: add to .htaccess
RewriteRule ^PaddleNumEditor\.php$ - [F,L]
# For Nginx: add to server block
location ~ ^/PaddleNumEditor\.php$ { return 403; }
Web Application Firewall (WAF) rules
allBlock SQL injection patterns targeting the PerID parameter
🧯 If You Can't Patch
- Implement strict input validation for PerID parameter to only accept numeric values
- Apply principle of least privilege - restrict database user permissions to minimum required
🔍 How to Verify
Check if Vulnerable:
Check if ChurchCRM version is below 6.7.2. Examine PaddleNumEditor.php for raw SQL concatenation with PerID parameter.Check Version:
Check ChurchCRM admin dashboard or examine version.txt file in installation directoryVerify Fix Applied:
Verify ChurchCRM version is 6.7.2 or higher. Check that PaddleNumEditor.php uses parameterized queries or prepared statements for PerID.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple requests to PaddleNumEditor.php with non-numeric PerID values
- Database error messages containing SQL syntax
Network Indicators:
- POST/GET requests to PaddleNumEditor.php with SQL injection patterns in PerID parameter
SIEM Query:
source="web_logs" AND uri="/PaddleNumEditor.php" AND (PerID CONTAINS "'" OR PerID CONTAINS "--" OR PerID CONTAINS ";")