Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property type categories (People → Person Properties / Family Properties). The vulnerability was introduced when legacyFilterInput() which both strips HTML and escapes SQL — was replaced with sanitizeText(), which strips HTML only. User-supplied values from the Name and Description fields are concatenated directly into raw INSERT and UPDATE queries with no SQL escaping. This allows any authenticated user with the MenuOptions role (a non-admin staff permission) to perform time-based blind injection and exfiltrate any data from the database, including password hashes of all users. This vulnerability is fixed in 7.1.0.
Published: 2026-04-07
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Data exfiltration including credential theft
Action: Immediate Patch
AI Analysis

Impact

A time‑based blind SQL injection exists in PropertyTypeEditor.php that concatenates user‑supplied Name and Description values directly into INSERT and UPDATE queries. The flaw arose after replacing legacyFilterInput() with sanitizeText(), which removes only HTML but fails to escape SQL. An authenticated user with the MenuOptions role – a non‑admin staff permission – can exploit the flaw to retrieve arbitrary database contents, including all user password hashes.

Affected Systems

ChurchCRM systems running any version prior to 7.1.0 are vulnerable. The issue is limited to the administration interface for managing property type categories (People → Person Properties / Family Properties).

Risk and Exploitability

The vulnerability receives a CVSS base score of 8.1, indicating a high severity. Its EPSS score is below 1 %, suggesting a low likelihood of public exploitation, and it is not listed in CISA’s KEV catalog. Nevertheless, an attacker must be authenticated and hold the MenuOptions permission, but this role is commonly granted to non‑admin staff, making the attack path feasible within many organizations.

Generated by OpenCVE AI on April 9, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ChurchCRM to version 7.1.0 or later where the vulnerability is fixed.
  • Restrict the MenuOptions permission or remove it from staff accounts that do not require property management functions.
  • Review database logs for suspicious queries that may indicate exploitation, and investigate any anomalies.
  • As a temporary measure, if upgrading is not immediately possible, consider disabling or restricting access to PropertyTypeEditor.php to prevent the injection vector.

Generated by OpenCVE AI on April 9, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property type categories (People → Person Properties / Family Properties). The vulnerability was introduced when legacyFilterInput() which both strips HTML and escapes SQL — was replaced with sanitizeText(), which strips HTML only. User-supplied values from the Name and Description fields are concatenated directly into raw INSERT and UPDATE queries with no SQL escaping. This allows any authenticated user with the MenuOptions role (a non-admin staff permission) to perform time-based blind injection and exfiltrate any data from the database, including password hashes of all users. This vulnerability is fixed in 7.1.0.
Title ChurchCRM has a SQL Injection in PropertyTypeEditor.php via Incorrect Sanitizer Substitution
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T18:45:58.503Z

Reserved: 2026-04-06T20:28:38.393Z

Link: CVE-2026-39340

cve-icon Vulnrichment

Updated: 2026-04-08T18:45:47.223Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T18:16:46.010

Modified: 2026-04-09T18:43:44.493

Link: CVE-2026-39340

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:41:21Z

Weaknesses