Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, a second order SQL injection vulnerability was found in the endpoint /FundRaiserEditor.php in ChurchCRM. A user has to be authenticated but doesn't need any privileges. These users can inject arbitrary SQL statements through the iCurrentFundraiser PHP session parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.
Published: 2026-04-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection – arbitrary database read and write
Action: Immediate Patch
AI Analysis

Impact

The issue is a second‑order SQL injection located in the /FundRaiserEditor.php page of ChurchCRM versions older than 7.1.0. An authenticated user can supply a specially crafted value for the iCurrentFundraiser session variable, which is later concatenated into an SQL statement without proper sanitisation. This permits execution of arbitrary SQL commands, allowing the attacker to read sensitive database contents or modify records, potentially exposing membership and financial data.

Affected Systems

All installations of ChurchCRM running a release before 7.1.0 are vulnerable, regardless of customisations, as the flaw resides in the core source code. The vulnerability is triggered by any authenticated user, even those with minimal privileges, because authentication alone is sufficient to reach the endpoint and manipulate the session variable.

Risk and Exploitability

The flaw carries a CVSS base score of 8.8, indicating high severity, while its EPSS score is below 1 %, suggesting that widespread exploitation is presently unlikely. The vulnerability is not listed in the CISA KEV catalog. An attacker would need an existing session cookie or valid credentials; once in, they can extract or alter data, undermining confidentiality, integrity, and potentially the availability of the system.

Generated by OpenCVE AI on April 10, 2026 at 23:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ChurchCRM to version 7.1.0 or later

Generated by OpenCVE AI on April 10, 2026 at 23:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Wed, 08 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, a second order SQL injection vulnerability was found in the endpoint /FundRaiserEditor.php in ChurchCRM. A user has to be authenticated but doesn't need any privileges. These users can inject arbitrary SQL statements through the iCurrentFundraiser PHP session parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.
Title ChurchCRM has a Second Order SQLI via FundRaiserEditor.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T14:39:12.132Z

Reserved: 2026-04-06T19:31:07.266Z

Link: CVE-2026-39319

cve-icon Vulnrichment

Updated: 2026-04-08T14:39:08.295Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T18:16:42.950

Modified: 2026-04-10T20:57:19.097

Link: CVE-2026-39319

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:26:26Z

Weaknesses