The vulnerability in ChurchCRM arises from improper input validation on the Reports/ConfirmReportEmail.php endpoint. The application accepts a familyId parameter, sanitises the input, but then fails to use the sanitized value when constructing the SQL query. This oversight allows a time‑based SQL injection, enabling an attacker to execute arbitrary SQL commands. Successful exploitation can reveal, modify, or delete sensitive church data held in the database, compromising confidentiality, integrity, and potentially availability of the system.

All installations of ChurchCRM that are running a version prior to 7.1.0 are affected by this flaw. The issue sits in the open‑source Church Management System's reporting functionality, specifically the endpoint that triggers email confirmations. Systems that expose this endpoint to external users, whether authenticated or not, are at risk.

The CVSS score of 8.1 rates the vulnerability as high severity, while the EPSS score of less than 1% indicates a low current likelihood of public exploitation. It is not listed in the CISA KEV catalog. The likely attack path involves sending a crafted HTTP request with a malicious familyId value to the Reports/ConfirmReportEmail.php endpoint. Because the application does not enforce authentication on this endpoint, an unauthenticated user could feasibly trigger the injection, although this inference is based on the lack of explicit authentication checks in the description.