Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsUser.php in ChurchCRM 7.0.5. Authenticated administrative users can inject arbitrary SQL statements through the type array parameter via the index and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.
Published: 2026-04-07
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized database access and modification
Action: Immediate Patch
AI Analysis

Impact

Blind SQL injection in the SettingsUser.php endpoint of ChurchCRM allows an authenticated administrator to inject arbitrary SQL statements. The vulnerability exposes the ability to read sensitive data and alter database contents, effectively compromising confidentiality, integrity, and potentially availability of church records. It is classified as a classic SQL injection (CWE-89).

Affected Systems

The affected product is ChurchCRM, an open-source church management system. All released versions prior to 7.1.0, including the 7.0.5 build, are vulnerable. Administrators with valid credentials can exploit the flaw.

Risk and Exploitability

The CVSS score of 7.2 denotes a high severity, while the EPSS score of less than 1 % indicates a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated administrator account and is achieved through the index parameter in a blind manner, meaning the attacker receives limited feedback but can still extract and modify data over time.

Generated by OpenCVE AI on April 10, 2026 at 22:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ChurchCRM to version 7.1.0 or later, which contains the fix for the SQL injection.
  • If an immediate upgrade is not possible, restrict administrative access to the SettingsUser.php endpoint and review database user permissions to limit potential damage.
  • Monitor application logs for unexpected database queries that may indicate exploitation attempts.

Generated by OpenCVE AI on April 10, 2026 at 22:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsUser.php in ChurchCRM 7.0.5. Authenticated administrative users can inject arbitrary SQL statements through the type array parameter via the index and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.
Title ChurchCRM has a Blind SQL injection in SettingsUser.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T15:48:09.561Z

Reserved: 2026-04-06T19:31:07.266Z

Link: CVE-2026-39325

cve-icon Vulnrichment

Updated: 2026-04-09T15:48:02.997Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T18:16:43.547

Modified: 2026-04-10T20:57:09.493

Link: CVE-2026-39325

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:26:41Z

Weaknesses