Description
ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when visited by an authenticated administrator, silently elevates any low-privilege user to full administrator or creates a new admin backdoor account without the victim's knowledge This vulnerability is fixed in 7.3.2.
Published: 2026-05-12
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing CSRF token in ChurchCRM's UserEditor.php allows an unauthenticated attacker to craft a malicious page that, when visited by an authenticated administrator, silently elevates a low‑privilege user to a full administrator or creates a new backdoor admin account. The result is full control over the system, compromising confidentiality, integrity and availability. The weakness is a classic privilege‑management flaw (CWE‑269) compounded by improper authentication and missing CSRF protection (CWE‑306 and CWE‑352).

Affected Systems

ChurchCRM product, all releases prior to version 7.3.2 obtained from the ChurchCRM project repository. The vulnerability resides in the UserEditor.php component responsible for user creation and permission updates.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a crafted HTML page that triggers a CSRF request using the victim's authenticated session cookie; no local access or code execution is required. The attacker cannot log in or exploit other weaknesses—only a convenience of the web application’s missing CSRF token. Due to the nature of CSRF, the exploitation risk is moderate but significant for environments with widely‑distributed administrators.

Generated by OpenCVE AI on May 12, 2026 at 23:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ChurchCRM to version 7.3.2 or later, which introduces CSRF token validation for user permission changes.
  • If an immediate upgrade is not possible, block POST requests to UserEditor.php that modify permissions unless a valid CSRF token is present—this can be enforced by disabling the endpoint or adding a server‑side check.
  • Configure the application and web server to use SameSite=Lax or Strict attributes on session cookies and ensure HTTPS is enforced for all admin pages, reducing the chance that a malicious page can exploit the session.

Generated by OpenCVE AI on May 12, 2026 at 23:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when visited by an authenticated administrator, silently elevates any low-privilege user to full administrator or creates a new admin backdoor account without the victim's knowledge This vulnerability is fixed in 7.3.2.
Title ChurchCRM: Cross-Site Request Forgery (CSRF) Leading to Admin Privilege Escalation
Weaknesses CWE-269
CWE-306
CWE-352
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T22:23:25.126Z

Reserved: 2026-04-26T12:13:55.551Z

Link: CVE-2026-42289

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T23:16:17.730

Modified: 2026-05-12T23:16:17.730

Link: CVE-2026-42289

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:45:25Z

Weaknesses