<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>ChurchCRM - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/churchcrm/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 29 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/churchcrm/feed.xml" rel="self" type="application/rss+xml"/><item><title>ChurchCRM SQL Injection Vulnerability in PropertyTypeEditor.php</title><link>https://feed.craftedsignal.io/briefs/2024-01-29-churchcrm-sqli/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-29-churchcrm-sqli/</guid><description>A critical SQL injection vulnerability (CVE-2026-39323) in ChurchCRM versions prior to 7.1.0 allows authenticated users with 'Manage Properties' permission to execute arbitrary SQL commands via unsanitized POST parameters in PropertyTypeEditor.php, leading to potential data exfiltration, modification, or deletion.</description><content:encoded><![CDATA[<p>ChurchCRM, an open-source church management system, is vulnerable to SQL injection in versions prior to 7.1.0. The vulnerability, identified as CVE-2026-39323, resides in the PropertyTypeEditor.php component. The root cause is the insufficient sanitization of the Name and Description POST parameters. These parameters are only processed with <code>strip_tags()</code> before being directly concatenated into SQL queries. An authenticated user with &quot;Manage Properties&quot; permission can exploit this by injecting malicious SQL code through these parameters. Successful exploitation allows the attacker to execute arbitrary SQL commands, giving them the ability to exfiltrate sensitive data, modify existing records, or delete critical information from the database. The injected data persists in the database and is reflected across multiple application pages without proper output encoding, amplifying the impact. Users of ChurchCRM are advised to upgrade to version 7.1.0 or later to remediate this vulnerability.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker authenticates to the ChurchCRM application with an account that has the &quot;Manage Properties&quot; permission.</li>
<li>The attacker crafts a malicious HTTP POST request targeting <code>PropertyTypeEditor.php</code>.</li>
<li>The POST request includes SQL injection payloads within the <code>Name</code> and/or <code>Description</code> parameters.</li>
<li>The <code>PropertyTypeEditor.php</code> script receives the POST request and applies <code>strip_tags()</code> to the <code>Name</code> and <code>Description</code> parameters.</li>
<li>The sanitized, but still vulnerable, <code>Name</code> and <code>Description</code> parameters are concatenated directly into an SQL query without proper escaping or parameterization.</li>
<li>The malicious SQL query is executed against the ChurchCRM database.</li>
<li>The attacker gains the ability to manipulate database records, potentially exfiltrating sensitive data like user credentials, financial records, or personal information.</li>
<li>The injected data persists in the database and gets reflected in other application pages, further compromising the application's integrity.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this SQL injection vulnerability (CVE-2026-39323) in ChurchCRM can lead to severe consequences. An attacker can gain unauthorized access to sensitive data, including member information, financial records, and user credentials. The attacker could modify or delete critical data, disrupting church operations and potentially leading to financial losses. The number of organizations potentially affected is significant, as ChurchCRM is a widely used open-source solution for church management. The injected data will persist in the database and is reflected across multiple application pages without output encoding.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade ChurchCRM to version 7.1.0 or later to patch the SQL injection vulnerability (CVE-2026-39323).</li>
<li>Implement input validation and parameterized queries to prevent SQL injection attacks in <code>PropertyTypeEditor.php</code> and other database interaction points within ChurchCRM.</li>
<li>Deploy the Sigma rule to detect potential exploitation attempts targeting <code>PropertyTypeEditor.php</code>.</li>
<li>Review web server access logs for suspicious POST requests to <code>PropertyTypeEditor.php</code> (webserver log source).</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>churchcrm</category><category>sql-injection</category><category>web-application</category></item><item><title>ChurchCRM Remote Code Execution via Backup Restore Vulnerability (CVE-2026-40484)</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-churchcrm-rce/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-churchcrm-rce/</guid><description>ChurchCRM versions before 7.2.0 are vulnerable to remote code execution (RCE) due to insufficient file extension filtering during database backup restoration, allowing an authenticated administrator to upload a crafted archive containing a PHP webshell that can be executed via HTTP requests.</description><content:encoded><![CDATA[<p>ChurchCRM, an open-source church management system, is susceptible to remote code execution (RCE) in versions prior to 7.2.0. This vulnerability stems from the insecure handling of database backup restoration. Specifically, the <code>recursiveCopyDirectory()</code> function fails to adequately filter file extensions when extracting uploaded archive contents from the <code>Images/</code> directory, copying files into the web-accessible document root. An authenticated administrator can exploit this by uploading a malicious backup archive containing a PHP webshell. Due to the lack of file extension filtering, this webshell is written to a publicly accessible path, enabling attackers to execute arbitrary code on the server as the web server user via HTTP requests. The absence of CSRF token validation on the restore endpoint further exacerbates the issue, enabling cross-site request forgery (CSRF) attacks against authenticated administrators. This vulnerability is identified as CVE-2026-40484.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains valid administrator credentials to the ChurchCRM application.</li>
<li>Attacker crafts a malicious backup archive containing a PHP webshell file (e.g., <code>shell.php</code>) within an <code>Images/</code> directory structure.</li>
<li>The attacker uploads the crafted backup archive through the ChurchCRM administrative interface using the database backup restore functionality.</li>
<li>The application's <code>recursiveCopyDirectory()</code> function extracts the archive contents without proper file extension filtering.</li>
<li>The PHP webshell file (e.g., <code>shell.php</code>) is copied from the <code>Images/</code> directory within the archive to a publicly accessible directory in the web server's document root.</li>
<li>The attacker leverages the lack of CSRF protection in the restore endpoint, possibly by tricking an administrator into triggering the restore via a malicious link or website.</li>
<li>The attacker sends an HTTP request to the uploaded PHP webshell (e.g., <code>http://churchcrm.example.com/Images/shell.php?cmd=whoami</code>) to execute arbitrary code on the server.</li>
<li>The web server executes the PHP code, granting the attacker remote code execution capabilities as the web server user.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the ChurchCRM server with the privileges of the web server user. This could lead to complete compromise of the server, data exfiltration (including sensitive church member data), defacement of the website, or further lateral movement within the network. Given the sensitive nature of data typically stored in church management systems, the impact can be severe.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade ChurchCRM to version 7.2.0 or later to patch CVE-2026-40484 immediately.</li>
<li>Implement a web application firewall (WAF) rule to detect and block requests to potentially malicious PHP files uploaded to the <code>Images/</code> directory, specifically targeting HTTP requests with suspicious parameters like <code>cmd=</code>.</li>
<li>Deploy the Sigma rule detecting suspicious PHP file creation in web directories to identify potential webshell uploads.</li>
<li>Enable logging for web server access and error logs and monitor for unusual activity, especially related to the <code>Images/</code> directory.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>CVE-2026-40484</category><category>ChurchCRM</category><category>Remote Code Execution</category><category>Web Shell</category><category>CSRF</category></item><item><title>ChurchCRM &lt; 7.2.0 Family Record Deletion CSRF Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-churchcrm-csrf/</link><pubDate>Tue, 09 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-churchcrm-csrf/</guid><description>ChurchCRM versions prior to 7.2.0 are vulnerable to a CSRF attack on the family record deletion endpoint allowing an attacker to trigger deletion of family records by enticing an authenticated administrator to visit a malicious page.</description><content:encoded><![CDATA[<p>ChurchCRM, an open-source church management system, is susceptible to a critical Cross-Site Request Forgery (CSRF) vulnerability in versions prior to 7.2.0. Specifically, the family record deletion endpoint (SelectDelete.php) lacks CSRF token validation. This allows an attacker to craft a malicious web page that, when visited by an authenticated ChurchCRM administrator, will silently trigger the deletion of family records. The scope of this vulnerability extends to all associated data, including notes, pledges, persons, and property information. Successful exploitation results in irreversible data loss without user confirmation. Users are advised to upgrade to version 7.2.0 or later to mitigate this risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a vulnerable ChurchCRM instance running a version prior to 7.2.0.</li>
<li>Attacker crafts a malicious HTML page containing an <code>&lt;img&gt;</code> or <code>&lt;iframe&gt;</code> tag that makes a GET request to <code>SelectDelete.php</code> with the ID of the target family record.  The URL looks like: <code>https://example.com/ChurchCRM/FamilyView.php?FamilyID=123&amp;Action=Delete</code>.</li>
<li>Attacker social engineers an authenticated ChurchCRM administrator into visiting the malicious HTML page (e.g., via phishing or embedding the page on a compromised website).</li>
<li>The administrator's browser automatically sends the GET request to <code>SelectDelete.php</code> along with the administrator's valid session cookies.</li>
<li>The ChurchCRM server, lacking CSRF protection, processes the request and deletes the specified family record and all associated data.</li>
<li>The targeted family record, along with associated notes, pledges, persons, and property data, is permanently and irreversibly deleted from the ChurchCRM database.</li>
<li>The attacker achieves the objective of data deletion and potential disruption of church management operations.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful CSRF attack against ChurchCRM can result in the permanent and irreversible deletion of sensitive family records and associated data, potentially affecting hundreds or thousands of individuals depending on the size of the church and its record-keeping practices. This data loss can disrupt church operations, damage relationships with members, and lead to legal or regulatory compliance issues depending on the nature of the stored data. The lack of user interaction required for this exploit makes it particularly dangerous as administrators may be unaware that data is being deleted.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade ChurchCRM to version 7.2.0 or later to patch the CSRF vulnerability in <code>SelectDelete.php</code> (see Overview).</li>
<li>Deploy the provided Sigma rule to detect suspicious requests to <code>SelectDelete.php</code> (see Rules).</li>
<li>Implement web application firewall (WAF) rules to block requests to <code>SelectDelete.php</code> that lack a valid CSRF token, if possible.</li>
<li>Educate ChurchCRM administrators about the risks of CSRF attacks and the importance of avoiding suspicious links or websites.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>CVE-2026-40581</category><category>csrf</category><category>churchcrm</category><category>data-deletion</category></item></channel></rss>