Description
ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2 contains a patch for the issue.
Published: 2026-01-30
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection enabling data manipulation or disclosure by any authenticated user
Action: Apply patch
AI Analysis

Impact

A SQL injection flaw lives in ChurchCRM’s /PaddleNumEditor.php endpoint in versions earlier than 6.7.2. Any authenticated user, even if granted no permissions, can supply a crafted PerID parameter that is concatenated directly into a database query. This omission of input sanitization can permit the attacker to execute arbitrary SQL statements against the application’s database, potentially allowing unauthorized disclosure, alteration, or deletion of church data.

Affected Systems

The vulnerability affects the ChurchCRM product for all releases prior to version 6.7.2. Users running earlier builds of the CRM must review the upgrade path, as the patch is included starting with release 6.7.2.

Risk and Exploitability

The CVSS score of 8.8 signals high severity, while the EPSS value of less than 1% indicates the likelihood of exploitation is currently very low. The report is not listed in the CISA KEV catalog, so no public exploits are known. However, the flaw requires authentication; once an attacker has valid credentials, they can directly target the vulnerable endpoint with a malicious PerID payload, potentially compromising the entire database.

Generated by OpenCVE AI on April 18, 2026 at 01:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ChurchCRM to version 6.7.2 or later to remove the injection flaw.
  • Audit user accounts and revoke or assign proper permissions so that no authenticated user has zero privileges.
  • Add input validation or use parameterized queries in PaddleNumEditor.php to ensure the PerID value is strictly checked before database use.

Generated by OpenCVE AI on April 18, 2026 at 01:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Fri, 30 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2 contains a patch for the issue.
Title Church CRM has SQL injection in PaddleNumEditor.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-30T15:57:32.491Z

Reserved: 2026-01-27T14:51:03.061Z

Link: CVE-2026-24854

cve-icon Vulnrichment

Updated: 2026-01-30T15:56:57.505Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-30T16:16:13.620

Modified: 2026-02-17T14:33:24.433

Link: CVE-2026-24854

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:15:05Z

Weaknesses