Description
ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when visited by an authenticated administrator, silently elevates any low-privilege user to full administrator or creates a new admin backdoor account without the victim's knowledge This vulnerability is fixed in 7.3.2.
Published: 2026-05-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing CSRF token in ChurchCRM's UserEditor.php allows an unauthenticated attacker to craft a malicious page that, when visited by an authenticated administrator, silently elevates a low‑privilege user to a full administrator or creates a new backdoor admin account. The result is full control over the system, compromising confidentiality, integrity and availability. The weakness is a classic privilege‑management flaw (CWE‑269) compounded by improper authentication and missing CSRF protection (CWE‑306 and CWE‑352).

Affected Systems

ChurchCRM product, all releases prior to version 7.3.2 obtained from the ChurchCRM project repository. The vulnerability resides in the UserEditor.php component responsible for user creation and permission updates.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a crafted HTML page that triggers a CSRF request using the victim's authenticated session cookie; no local access or code execution is required. The attacker cannot log in or exploit other weaknesses—only a convenience of the web application’s missing CSRF token. Due to the nature of CSRF, the exploitation risk is moderate but significant for environments with widely‑distributed administrators.

Generated by OpenCVE AI on May 12, 2026 at 23:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ChurchCRM to version 7.3.2 or later, which introduces CSRF token validation for user permission changes.
  • If an immediate upgrade is not possible, block POST requests to UserEditor.php that modify permissions unless a valid CSRF token is present—this can be enforced by disabling the endpoint or adding a server‑side check.
  • Configure the application and web server to use SameSite=Lax or Strict attributes on session cookies and ensure HTTPS is enforced for all admin pages, reducing the chance that a malicious page can exploit the session.

Generated by OpenCVE AI on May 12, 2026 at 23:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Tue, 12 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when visited by an authenticated administrator, silently elevates any low-privilege user to full administrator or creates a new admin backdoor account without the victim's knowledge This vulnerability is fixed in 7.3.2.
Title ChurchCRM: Cross-Site Request Forgery (CSRF) Leading to Admin Privilege Escalation
Weaknesses CWE-269
CWE-306
CWE-352
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T12:36:48.339Z

Reserved: 2026-04-26T12:13:55.551Z

Link: CVE-2026-42289

cve-icon Vulnrichment

Updated: 2026-05-14T12:36:40.327Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T23:16:17.730

Modified: 2026-05-14T13:16:18.157

Link: CVE-2026-42289

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T09:45:09Z

Weaknesses
  • CWE-269

    Improper Privilege Management

  • CWE-306

    Missing Authentication for Critical Function

  • CWE-352

    Cross-Site Request Forgery (CSRF)