📦 Churchcrm

ChurchCRM versions before 6.5.3 contain a SQL injection vulnerability in the Event Attendee Editor that allows authenticated users to execute arbitrary SQL commands. This can lead to complete database...

ChurchCRM versions before 6.5.3 have a critical vulnerability in the Database Restore functionality that allows attackers to upload malicious files without validation. This enables remote code executi...

ChurchCRM versions before 6.5.3 expose sensitive database credentials in error messages, allowing attackers to obtain database host, IP, username, and password. This affects all ChurchCRM installation...

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM that allows unauthenticated attackers to inject arbitrary PHP code during the initial setup process. Th...

A critical SQL injection vulnerability in ChurchCRM versions 5.13.0 and earlier allows attackers to execute arbitrary database queries through the EditEventTypes functionality. Attackers can manipulat...

CVE-2024-53438 is a critical SQL injection vulnerability in ChurchCRM 5.7.0 that allows attackers to execute arbitrary SQL commands by manipulating the 'Event' parameter. This affects all ChurchCRM 5....

ChurchCRM 5.5.0 contains a blind SQL injection vulnerability in FRCertificates.php via the CurrentFundraiser GET parameter. This allows attackers to execute arbitrary SQL queries and potentially extra...

ChurchCRM 5.5.0 contains a blind SQL injection vulnerability in FRCatalog.php via the CurrentFundraiser GET parameter. Attackers can exploit this to extract database information or potentially execute...

A SQL injection vulnerability in ChurchCRM allows any authenticated user, even with zero permissions, to execute arbitrary SQL commands through the PaddleNumEditor.php endpoint. This could lead to dat...

A SQL injection vulnerability in ChurchCRM allows authenticated users with any permission level to execute arbitrary SQL commands through the familyId parameter in the legacy ConfirmReportEmail.php en...

ChurchCRM versions before 6.5.3 contain a SQL injection vulnerability in the eGive.php file's ReImport functionality. Authenticated users with finance privileges can execute arbitrary SQL queries by m...

CVE-2025-67877 is a SQL injection vulnerability in ChurchCRM versions before 6.5.3 that allows attackers to execute arbitrary SQL commands through the PersonAddress parameter. This affects all ChurchC...

This vulnerability allows any authenticated user in ChurchCRM to perform Kiosk Manager actions like allowing/accepting kiosk registrations, reloading kiosks, and identifying kiosks. It affects all Chu...

This SQL injection vulnerability in ChurchCRM allows malicious or compromised administrator accounts to execute arbitrary SQL commands. Attackers can directly manipulate the database to exfiltrate, mo...

ChurchCRM versions before 6.5.3 contain a SQL injection vulnerability in the ListEvents.php file. Any authenticated user, regardless of privilege level, can execute arbitrary SQL commands to exfiltrat...

ChurchCRM versions before 6.5.0 contain a SQL injection vulnerability in the EventEditor.php file. Authenticated users with event management permissions can exploit this by injecting malicious SQL thr...

ChurchCRM versions 6.2.0 and earlier contain a time-based blind SQL injection vulnerability in the 1FieldSec parameter handling. This allows attackers to extract sensitive database information or modi...

A time-based blind SQL injection vulnerability in ChurchCRM versions 5.13.0 and earlier allows authenticated administrators to execute arbitrary SQL commands via the EN_tyid parameter in EditEventAtte...

This vulnerability allows authenticated administrators in ChurchCRM versions 5.13.0 and earlier to execute arbitrary SQL queries through boolean-based blind SQL injection in the EditEventAttendees fun...

This SQL injection vulnerability in ChurchCRM allows attackers with administrator privileges to execute arbitrary SQL queries through the DonatedItemEditor functionality. It affects ChurchCRM versions...

This SQL injection vulnerability in ChurchCRM allows attackers with administrator privileges to execute arbitrary SQL queries through the BatchWinnerEntry functionality. The vulnerability affects Chur...

ChurchCRM versions before 5.9.2 contain an authenticated SQL injection vulnerability in the GetText.php endpoint. Attackers with any valid user account can inject malicious SQL through the EID paramet...

ChurchCRM 5.5.0 contains a blind SQL injection vulnerability in FRBidSheets.php via the CurrentFundraiser GET parameter. This allows attackers to execute arbitrary SQL queries and potentially extract ...

This SQL injection vulnerability in ChurchCRM v5.0.0 allows remote attackers to execute arbitrary SQL commands via the searchstring and searchwhat parameters in QueryView.php. This can lead to unautho...

This SQL injection vulnerability in ChurchCRM v5.0.0 allows remote attackers to extract sensitive database information by manipulating the volopp parameter in QueryView.php. All organizations running ...

A SQL injection vulnerability in ChurchCRM v5.0.0 allows remote attackers to extract sensitive database information by manipulating the friendmonths parameter in QueryView.php. This affects all Church...

CVE-2023-38764 is an SQL injection vulnerability in ChurchCRM v5.0.0 that allows remote attackers to extract sensitive database information by manipulating birthmonth and percls parameters in QueryVie...

This SQL injection vulnerability in ChurchCRM v5.0.0 allows remote attackers to execute arbitrary SQL commands via the 'value' and 'custom' parameters in QueryView.php. Attackers can potentially acces...

ChurchCRM 4.5.4 contains a blind SQL injection vulnerability in the EditEventTypes.php endpoint via the EN_tyid POST parameter. Attackers can exploit this to extract database information through time-...

ChurchCRM versions 4.5.3 and below contain a SQL injection vulnerability in the GetText.php file via the EID parameter. This allows attackers to execute arbitrary SQL commands on the database. All Chu...

This SQL injection vulnerability in ChurchCRM 4.4.5 allows attackers to execute arbitrary SQL commands via the PersonID parameter in WhyCameEditor.php. This affects all ChurchCRM 4.4.5 installations w...

This SQL injection vulnerability in ChurchCRM allows authenticated attackers to execute arbitrary SQL commands through unsanitized input fields (EN_tyid, theID, EID) during edit operations. It affects...

ChurchCRM versions before 6.7.2 have a stored XSS vulnerability in the calendar event description field. Low-privilege users can inject malicious scripts that execute when other users view the event, ...

ChurchCRM versions before 6.5.4 contain a stored cross-site scripting (XSS) vulnerability in the GroupEditor.php page. Authenticated users with group management permissions can inject malicious JavaSc...

ChurchCRM versions before 6.0.0 have a stored cross-site scripting (XSS) vulnerability where user-supplied HTML/JavaScript isn't properly sanitized. Attackers can inject malicious scripts that execute...

ChurchCRM versions before 6.5.3 have a stored cross-site scripting vulnerability on three people management pages. This allows attackers to inject malicious scripts that execute when users view those ...

ChurchCRM versions before 6.5.3 contain a privilege escalation vulnerability where authenticated users with 'Edit Records' and 'Manage Properties and Classifications' permissions can inject persistent...

A stored cross-site scripting (XSS) vulnerability in ChurchCRM allows low-privilege users with 'Manage Groups' permission to inject persistent JavaScript into group role names. This malicious code exe...

ChurchCRM versions before 6.5.0 echo plaintext passwords back in HTTP responses, allowing attackers to steal user credentials. This affects all ChurchCRM installations running vulnerable versions. The...

This vulnerability in ChurchCRM allows attackers to perform path traversal attacks via the restoreFile parameter in the backup restore functionality. Remote attackers can potentially access or manipul...

A deserialization vulnerability in ChurchCRM's setup.php file allows remote attackers to potentially execute arbitrary code by manipulating DB_PASSWORD, ROOT_PATH, or URL parameters. This affects Chur...

A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 5.13.0 allows authenticated administrators to inject malicious JavaScript via the EID parameter in EditEventAttendees.php. This enable...