ChurchCRM SQL Injection Vulnerability in PropertyTypeEditor.php
A critical SQL injection vulnerability (CVE-2026-39323) in ChurchCRM versions prior to 7.1.0 allows authenticated users with 'Manage Properties' permission to execute arbitrary SQL commands via unsanitized POST parameters in PropertyTypeEditor.php, leading to potential data exfiltration, modification, or deletion.
ChurchCRM, an open-source church management system, is vulnerable to SQL injection in versions prior to 7.1.0. The vulnerability, identified as CVE-2026-39323, resides in the PropertyTypeEditor.php component. The root cause is the insufficient sanitization of the Name and Description POST parameters. These parameters are only processed with strip_tags() before being directly concatenated into SQL queries. An authenticated user with "Manage Properties" permission can exploit this by injecting malicious SQL code through these parameters. Successful exploitation allows the attacker to execute arbitrary SQL commands, giving them the ability to exfiltrate sensitive data, modify existing records, or delete critical information from the database. The injected data persists in the database and is reflected across multiple application pages without proper output encoding, amplifying the impact. Users of ChurchCRM are advised to upgrade to version 7.1.0 or later to remediate this vulnerability.
Attack Chain
- An attacker authenticates to the ChurchCRM application with an account that has the "Manage Properties" permission.
- The attacker crafts a malicious HTTP POST request targeting
PropertyTypeEditor.php. - The POST request includes SQL injection payloads within the
Nameand/orDescriptionparameters. - The
PropertyTypeEditor.phpscript receives the POST request and appliesstrip_tags()to theNameandDescriptionparameters. - The sanitized, but still vulnerable,
NameandDescriptionparameters are concatenated directly into an SQL query without proper escaping or parameterization. - The malicious SQL query is executed against the ChurchCRM database.
- The attacker gains the ability to manipulate database records, potentially exfiltrating sensitive data like user credentials, financial records, or personal information.
- The injected data persists in the database and gets reflected in other application pages, further compromising the application's integrity.
Impact
Successful exploitation of this SQL injection vulnerability (CVE-2026-39323) in ChurchCRM can lead to severe consequences. An attacker can gain unauthorized access to sensitive data, including member information, financial records, and user credentials. The attacker could modify or delete critical data, disrupting church operations and potentially leading to financial losses. The number of organizations potentially affected is significant, as ChurchCRM is a widely used open-source solution for church management. The injected data will persist in the database and is reflected across multiple application pages without output encoding.
Recommendation
- Upgrade ChurchCRM to version 7.1.0 or later to patch the SQL injection vulnerability (CVE-2026-39323).
- Implement input validation and parameterized queries to prevent SQL injection attacks in
PropertyTypeEditor.phpand other database interaction points within ChurchCRM. - Deploy the Sigma rule to detect potential exploitation attempts targeting
PropertyTypeEditor.php. - Review web server access logs for suspicious POST requests to
PropertyTypeEditor.php(webserver log source).
Detection coverage 2
Detect ChurchCRM SQL Injection Attempt via PropertyTypeEditor.php
criticalDetects potential SQL injection attempts in ChurchCRM's PropertyTypeEditor.php by identifying suspicious characters in the POST request body.
Detect ChurchCRM SQL Injection via base64 encoded payload
criticalDetects potential SQL injection attempts in ChurchCRM's PropertyTypeEditor.php with base64 encoded payload.
Detection queries are available on the platform. Get full rules →