Description
ChurchCRM is an open-source church management system. Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints `/GroupPropsFormRowOps.php`, `/PersonCustomFieldsRowOps.php`, and `/FamilyCustomFieldsRowOps.php`. A user has to be authenticated. For `ManageGroups` privileges have to be enabled and for the other two endpoints the attack has to be executed by an administrative user. These users can inject arbitrary SQL statements through the `Field` parameter and thus modify tables from the database. This vulnerability is fixed in 7.1.0.
Published: 2026-04-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Uncontrolled SQL injection allowing arbitrary database modification by authenticated users
Action: Patch ASAP
AI Analysis

Impact

ChurchCRM, an open‑source church management system, contains an SQL injection flaw in the GroupPropsFormRowOps.php, PersonCustomFieldsRowOps.php, and FamilyCustomFieldsRowOps.php endpoints. Attackers authenticated as users with ManageGroups privileges (or administrative users for the other two endpoints) can supply malicious content in the Field parameter, which is interpolated directly into SQL statements. This enables the attacker to insert, update, or delete rows in arbitrary database tables, compromising the integrity and confidentiality of church data and potentially giving the attacker a foothold for further exploitation.

Affected Systems

All ChurchCRM installations running any version prior to 7.1.0 are affected. The vulnerability applies to the server‑side script that handles group, person custom field, and family custom field operations.

Risk and Exploitability

The CVSS score of 8.8 classifies this vulnerability as high severity. EPSS indicates a very low probability of exploitation, and it is not currently listed in CISA’s KEV catalog. Exploitation requires authentication and sufficient privileges, meaning the attacker must first obtain valid credentials or elevate privileges. Nevertheless, once authenticated, the attack path is straightforward: a crafted request to the vulnerable endpoint with a malicious Field value will execute arbitrary SQL.

Generated by OpenCVE AI on April 9, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the ChurchCRM patch that upgrades to version 7.1.0 or later
  • If a patch cannot be applied immediately, restrict access to the GroupPropsFormRowOps.php, PersonCustomFieldsRowOps.php, and FamilyCustomFieldsRowOps.php endpoints to users with administrative privileges only and remove any unnecessary privileges from other users
  • Ensure that all user credentials are strong and that multi‑factor authentication is enabled to reduce the risk of unauthorized login

Generated by OpenCVE AI on April 9, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, the GroupPropsFormRowOps.php file contains a SQL injection vulnerability. User input in the Field parameter is directly inserted into SQL queries without proper sanitization. The mysqli_real_escape_string() function does not escape backtick characters, allowing attackers to break out of SQL identifier context and execute arbitrary SQL statements. This vulnerability is fixed in 7.1.0. ChurchCRM is an open-source church management system. Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints `/GroupPropsFormRowOps.php`, `/PersonCustomFieldsRowOps.php`, and `/FamilyCustomFieldsRowOps.php`. A user has to be authenticated. For `ManageGroups` privileges have to be enabled and for the other two endpoints the attack has to be executed by an administrative user. These users can inject arbitrary SQL statements through the `Field` parameter and thus modify tables from the database. This vulnerability is fixed in 7.1.0.
References

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, the GroupPropsFormRowOps.php file contains a SQL injection vulnerability. User input in the Field parameter is directly inserted into SQL queries without proper sanitization. The mysqli_real_escape_string() function does not escape backtick characters, allowing attackers to break out of SQL identifier context and execute arbitrary SQL statements. This vulnerability is fixed in 7.1.0.
Title ChurchCRM has a DDL SQL Injection in GroupPropsFormRowOps.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T17:25:34.147Z

Reserved: 2026-04-06T19:31:07.266Z

Link: CVE-2026-39318

cve-icon Vulnrichment

Updated: 2026-04-08T18:46:22.327Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T18:16:42.810

Modified: 2026-04-15T20:20:24.653

Link: CVE-2026-39318

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:41:22Z

Weaknesses