{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/churchcrm/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":5.4,"id":"CVE-2023-38766"},{"cvss":8.7,"id":"CVE-2026-35576"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["xss","web-application","churchcrm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChurchCRM, an open-source church management system, is vulnerable to a stored cross-site scripting (XSS) attack affecting versions prior to 7.0.0. This vulnerability resides within the Person Property Management subsystem and stems from insufficient input sanitization when handling dynamically assigned person properties. An authenticated attacker can inject malicious JavaScript code, which is then persistently stored in the database. When other users view the compromised person\u0026rsquo;s profile or access the printable view of that profile, the injected script executes, potentially leading to session hijacking or complete account takeover. This issue impacts versions patched for CVE-2023-38766, highlighting a persistent weakness. Organizations using vulnerable versions of ChurchCRM are at risk of unauthorized access and data breaches. Users are advised to update to version 7.0.0 or later to remediate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to ChurchCRM with valid user credentials.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the Person Property Management section.\u003c/li\u003e\n\u003cli\u003eAttacker creates or modifies a dynamically assigned person property, injecting malicious JavaScript code into a property field. Example payload: \u003ccode\u003e\u0026lt;script\u0026gt;alert(\u0026quot;XSS\u0026quot;)\u0026lt;/script\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application stores the malicious payload in the database without proper sanitization.\u003c/li\u003e\n\u003cli\u003eA different user views the profile of the person with the compromised property.\u003c/li\u003e\n\u003cli\u003eThe stored XSS payload is rendered within the user\u0026rsquo;s browser, executing the injected JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s JavaScript code steals the user\u0026rsquo;s session cookie or redirects the user to a phishing page.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen session cookie to hijack the user\u0026rsquo;s session and gain unauthorized access to the application, potentially escalating privileges and accessing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability can lead to session hijacking and full account compromise. Attackers could gain unauthorized access to sensitive church member data, modify records, or perform administrative functions within the ChurchCRM system. The impact ranges from data theft and privacy breaches to complete disruption of church management operations. Given the potential for widespread access to sensitive personal information, organizations are strongly advised to apply the necessary updates to mitigate this risk. The CVSS v3.1 base score for this vulnerability is 8.7, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ChurchCRM to version 7.0.0 or later to patch the vulnerability (CVE-2026-35576).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potential XSS attempts via crafted property values.\u003c/li\u003e\n\u003cli\u003eReview and audit existing dynamically assigned person properties for suspicious script tags to identify potentially compromised records.\u003c/li\u003e\n\u003cli\u003eImplement input validation and output encoding to prevent future XSS vulnerabilities in ChurchCRM.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T12:00:00Z","date_published":"2026-04-08T12:00:00Z","id":"/briefs/2026-04-churchcrm-xss/","summary":"A stored cross-site scripting (XSS) vulnerability in ChurchCRM versions prior to 7.0.0 allows authenticated users to inject arbitrary JavaScript code via dynamically assigned person properties, leading to potential session hijacking or account compromise when other users view the affected profile.","title":"ChurchCRM Stored XSS Vulnerability in Person Property Management","url":"https://feed.craftedsignal.io/briefs/2026-04-churchcrm-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":10,"id":"CVE-2026-39337"},{"cvss":10,"id":"CVE-2025-62521"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["rce","cve-2026-39337","churchcrm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChurchCRM, an open-source church management system, is vulnerable to a critical pre-authentication remote code execution (RCE) flaw, identified as CVE-2026-39337. This vulnerability affects versions prior to 7.1.0. Unauthenticated attackers can exploit the setup wizard during the initial installation process to inject arbitrary PHP code, leading to complete server compromise. The root cause lies in the insufficient sanitization of the \u0026ldquo;$dbPassword\u0026rdquo; variable. This vulnerability is a result of an incomplete fix for a previous vulnerability, CVE-2025-62521. Organizations using vulnerable versions of ChurchCRM are at risk of unauthorized access, data breaches, and complete system takeover. Upgrading to version 7.1.0 or later is strongly advised to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a malicious HTTP request to the ChurchCRM setup wizard.\u003c/li\u003e\n\u003cli\u003eThe malicious request injects arbitrary PHP code into the \u003ccode\u003e$dbPassword\u003c/code\u003e variable during the setup process.\u003c/li\u003e\n\u003cli\u003eDue to insufficient sanitization, the injected PHP code is written to the ChurchCRM configuration file.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the execution of the configuration file, executing the injected PHP code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the web server.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain full control of the server.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a persistent backdoor for continued access.\u003c/li\u003e\n\u003cli\u003eThe attacker may then exfiltrate sensitive data or deploy ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39337 allows an unauthenticated attacker to achieve complete server compromise. This could result in the theft of sensitive church member data, modification or destruction of data, defacement of the ChurchCRM website, or use of the server as a platform for launching further attacks. Given the critical nature of the vulnerability and the ease of exploitation, organizations are at high risk. The number of potential victims is high considering the wide usage of this CRM.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade ChurchCRM to version 7.1.0 or later to patch CVE-2026-39337.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to the ChurchCRM setup wizard. Deploy a Sigma rule to detect suspicious POST requests to the install endpoint.\u003c/li\u003e\n\u003cli\u003eImplement strong input validation and sanitization for all user-supplied data, especially during the installation process.\u003c/li\u003e\n\u003cli\u003eReview and harden the web server configuration to prevent unauthorized code execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T18:16:45Z","date_published":"2026-04-07T18:16:45Z","id":"/briefs/2026-04-churchcrm-rce/","summary":"A critical pre-authentication remote code execution vulnerability in ChurchCRM versions prior to 7.1.0 allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise.","title":"ChurchCRM Pre-Authentication Remote Code Execution Vulnerability (CVE-2026-39337)","url":"https://feed.craftedsignal.io/briefs/2026-04-churchcrm-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-39331"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-39331","churchcrm","authorization-bypass","privilege-escalation","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChurchCRM is an open-source church management system. Prior to version 7.1.0, a critical vulnerability exists (CVE-2026-39331) that allows authenticated API users to bypass authorization controls and modify family records without proper privileges. This is achieved by manipulating the \u003ccode\u003e{familyId}\u003c/code\u003e parameter in specific API requests. The vulnerability lies in the absence of role-based access control on several key API endpoints, including \u003ccode\u003e/family/{familyId}/verify\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/url\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/now\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/activate/{status}\u003c/code\u003e, and \u003ccode\u003e/family/{familyId}/geocode\u003c/code\u003e. This allows attackers to deactivate/reactivate families, spam verification emails, mark families as verified, and trigger geocoding actions without the necessary permissions. This vulnerability poses a significant risk to the integrity and availability of ChurchCRM data, especially in multi-tenant environments. Upgrade to version 7.1.0 to remediate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the ChurchCRM API with valid user credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target \u003ccode\u003efamilyId\u003c/code\u003e that they do not have explicit modification rights for.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious API request to one of the vulnerable endpoints: \u003ccode\u003e/family/{familyId}/verify\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/url\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/now\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/activate/{status}\u003c/code\u003e, or \u003ccode\u003e/family/{familyId}/geocode\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker replaces the \u003ccode\u003e{familyId}\u003c/code\u003e parameter in the request URL with the target \u003ccode\u003efamilyId\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFor example, the attacker sends a POST request to \u003ccode\u003e/family/123/activate/false\u003c/code\u003e to deactivate family with ID 123.\u003c/li\u003e\n\u003cli\u003eDue to the lack of role-based access control, the server processes the request without verifying if the attacker has the necessary \u003ccode\u003eEditRecords\u003c/code\u003e privilege.\u003c/li\u003e\n\u003cli\u003eThe target family\u0026rsquo;s state is modified (e.g., deactivated, marked as verified).\u003c/li\u003e\n\u003cli\u003eThe attacker repeats this process for other families and actions, potentially causing widespread disruption or data manipulation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39331 allows an attacker to escalate privileges and manipulate sensitive family data within ChurchCRM. This can lead to unauthorized deactivation of families, generation of spam verification emails, inaccurate family verification status, and resource exhaustion due to excessive geocoding requests. While specific victim counts are unknown, all ChurchCRM instances prior to version 7.1.0 are vulnerable. The consequences include reputational damage, data integrity issues, and potential disruption of church operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade ChurchCRM to version 7.1.0 to patch CVE-2026-39331 and address the authorization bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the vulnerable API endpoints (\u003ccode\u003e/family/{familyId}/verify\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/url\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/verify/now\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/activate/{status}\u003c/code\u003e, \u003ccode\u003e/family/{familyId}/geocode\u003c/code\u003e) as detected by the Sigma rule \u0026ldquo;ChurchCRM Family ID Manipulation\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eImplement stricter input validation and role-based access controls on all API endpoints to prevent unauthorized data modification, especially those handling sensitive data like family records.\u003c/li\u003e\n\u003cli\u003eReview and audit existing ChurchCRM user permissions to identify and revoke any unnecessary privileges that could be exploited in conjunction with this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T18:16:44Z","date_published":"2026-04-07T18:16:44Z","id":"/briefs/2026-04-churchcrm-auth-bypass/","summary":"An authenticated API user of ChurchCRM prior to v7.1.0 can bypass authorization checks and modify arbitrary family records by manipulating the familyId parameter in API requests, leading to privilege escalation and potential data manipulation.","title":"ChurchCRM Authenticated API User Authorization Bypass (CVE-2026-39331)","url":"https://feed.craftedsignal.io/briefs/2026-04-churchcrm-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-35573"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path-traversal","rce","churchcrm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChurchCRM, an open-source church management system, is vulnerable to a path traversal attack affecting versions prior to 6.5.3. This vulnerability resides in the backup restore functionality, specifically within \u003ccode\u003esrc/ChurchCRM/Backup/RestoreJob.php\u003c/code\u003e. Authenticated administrators can exploit this flaw by manipulating the \u003ccode\u003e$rawUploadedFile['name']\u003c/code\u003e parameter, which lacks proper sanitization. This allows for the upload of arbitrary files with attacker-controlled names to the \u003ccode\u003e/var/www/html/tmp_attach/ChurchCRMBackups/\u003c/code\u003e directory. Successful exploitation leads to remote code execution via overwriting Apache\u0026rsquo;s \u003ccode\u003e.htaccess\u003c/code\u003e configuration files, effectively compromising the web server. Organizations using vulnerable versions of ChurchCRM are at risk of unauthorized access and control of their systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated administrator logs into the ChurchCRM application.\u003c/li\u003e\n\u003cli\u003eThe administrator navigates to the backup restore functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious backup archive containing a crafted \u003ccode\u003e.htaccess\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious backup archive via the restore functionality, exploiting the path traversal vulnerability in \u003ccode\u003esrc/ChurchCRM/Backup/RestoreJob.php\u003c/code\u003e. The \u003ccode\u003e$rawUploadedFile['name']\u003c/code\u003e parameter is manipulated to control the file\u0026rsquo;s destination.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003e.htaccess\u003c/code\u003e file is written to the web server\u0026rsquo;s document root or a sensitive directory, such as \u003ccode\u003e/var/www/html/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe overwritten \u003ccode\u003e.htaccess\u003c/code\u003e file modifies the Apache web server\u0026rsquo;s configuration, potentially enabling PHP execution for arbitrary file types or redirecting requests to attacker-controlled scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses a file (e.g., an image or text file) which is now parsed as PHP code due to the malicious \u003ccode\u003e.htaccess\u003c/code\u003e configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the server, gaining remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to gain complete control of the ChurchCRM web server. This can lead to data breaches, defacement of the website, and the potential to use the compromised server as a launchpad for further attacks within the network. Given the sensitive nature of data often stored in ChurchCRM systems (e.g., personal contact information, financial records), the compromise can have severe consequences for both the organization and its members. While the exact number of vulnerable installations is unknown, the widespread use of ChurchCRM makes this a significant threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ChurchCRM to version 6.5.3 or later to patch the vulnerability described in CVE-2026-35573.\u003c/li\u003e\n\u003cli\u003eImplement strict file upload validation and sanitization to prevent path traversal vulnerabilities in other web applications.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious file uploads to \u003ccode\u003e/var/www/html/tmp_attach/ChurchCRMBackups/\u003c/code\u003e directory, looking for unexpected file extensions using the \u0026ldquo;ChurchCRM Suspicious File Upload\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement the \u0026ldquo;ChurchCRM .htaccess File Creation\u0026rdquo; Sigma rule to detect the creation of .htaccess files in web directories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T18:16:41Z","date_published":"2026-04-07T18:16:41Z","id":"/briefs/2026-04-churchcrm-traversal/","summary":"A path traversal vulnerability in ChurchCRM versions prior to 6.5.3 allows authenticated administrators to upload arbitrary files, leading to remote code execution by overwriting Apache .htaccess files.","title":"ChurchCRM Path Traversal Vulnerability Leading to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-churchcrm-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-35567"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-35567","sql-injection","churchcrm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChurchCRM, an open-source church management system, is susceptible to SQL injection attacks in versions prior to 7.1.0. The vulnerability, identified as CVE-2026-35567, resides in the \u003ccode\u003esrc/MemberRoleChange.php\u003c/code\u003e file, specifically within the \u003ccode\u003eNewRole\u003c/code\u003e POST parameter. Exploitation requires an attacker to have an authenticated session with the \u003ccode\u003eManageGroups\u003c/code\u003e role, along with knowledge of valid \u003ccode\u003eGroupID\u003c/code\u003e and \u003ccode\u003ePersonID\u003c/code\u003e values, which can be obtained from the \u003ccode\u003eGroupView\u003c/code\u003e or \u003ccode\u003ePersonView\u003c/code\u003e pages. Successful exploitation can lead to unauthorized data access, modification, or deletion within the ChurchCRM database. The vulnerability is resolved in ChurchCRM version 7.1.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains authenticated access to ChurchCRM with a user account possessing the \u003ccode\u003eManageGroups\u003c/code\u003e role.\u003c/li\u003e\n\u003cli\u003eAttacker identifies valid \u003ccode\u003eGroupID\u003c/code\u003e and \u003ccode\u003ePersonID\u003c/code\u003e values by browsing the \u003ccode\u003eGroupView\u003c/code\u003e or \u003ccode\u003ePersonView\u003c/code\u003e pages.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP POST request targeting \u003ccode\u003esrc/MemberRoleChange.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003eNewRole\u003c/code\u003e parameter containing a crafted SQL injection payload, exploiting the lack of proper integer validation.\u003c/li\u003e\n\u003cli\u003eThe application executes the SQL query incorporating the injected payload.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive data from the database, modifies existing data, or injects malicious data.\u003c/li\u003e\n\u003cli\u003eThe attacker could leverage the SQL injection to create a new administrative user.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the new administrative account to take complete control of the ChurchCRM instance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-35567) in ChurchCRM can result in the complete compromise of the application\u0026rsquo;s database. An attacker can gain unauthorized access to sensitive church member data, including personally identifiable information (PII). This can lead to data breaches, identity theft, and financial fraud. Malicious actors could also modify or delete data, disrupting church operations and potentially causing reputational damage. The impact is critical, especially considering the sensitive nature of the data managed by ChurchCRM.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ChurchCRM installations to version 7.1.0 or later to remediate the SQL injection vulnerability (CVE-2026-35567).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious POST requests to \u003ccode\u003esrc/MemberRoleChange.php\u003c/code\u003e containing potential SQL injection attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity related to \u003ccode\u003eMemberRoleChange.php\u003c/code\u003e, especially concerning the \u003ccode\u003eNewRole\u003c/code\u003e parameter (webserver log source).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures for all user-supplied data, focusing on integer validation for parameters like \u003ccode\u003eNewRole\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T16:16:29Z","date_published":"2026-04-07T16:16:29Z","id":"/briefs/2026-04-churchcrm-sqli/","summary":"ChurchCRM versions prior to 7.1.0 are vulnerable to SQL injection via the NewRole POST parameter, allowing authenticated users with the ManageGroups role to execute arbitrary SQL commands.","title":"ChurchCRM SQL Injection Vulnerability (CVE-2026-35567)","url":"https://feed.craftedsignal.io/briefs/2026-04-churchcrm-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-34402"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqlinjection","cve-2026-34402","churchcrm","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChurchCRM is an open-source church management system. Prior to version 7.1.0, the application suffers from a time-based blind SQL injection vulnerability (CVE-2026-34402). Authenticated users with either \u0026ldquo;Edit Records\u0026rdquo; or \u0026ldquo;Manage Groups\u0026rdquo; permissions can exploit this flaw. Successful exploitation allows attackers to exfiltrate or modify any database content, which could include user credentials, personally identifiable information (PII), and configuration secrets. The vulnerable endpoint is \u003ccode\u003ePropertyAssign.php\u003c/code\u003e. This vulnerability was addressed and fixed in version 7.1.0 of ChurchCRM. Defenders should prioritize patching vulnerable instances to prevent unauthorized access and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials for ChurchCRM, with \u0026ldquo;Edit Records\u0026rdquo; or \u0026ldquo;Manage Groups\u0026rdquo; permissions. This could be achieved through credential stuffing, password reuse, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003ePropertyAssign.php\u003c/code\u003e endpoint. This request contains a SQL injection payload within a parameter processed by the application.\u003c/li\u003e\n\u003cli\u003eThe application processes the malicious SQL query, injecting it into the database query without proper sanitization.\u003c/li\u003e\n\u003cli\u003eDue to the blind nature of the SQL injection, the attacker uses time-based techniques (e.g., \u003ccode\u003eSLEEP()\u003c/code\u003e) to infer information about the database structure and content.\u003c/li\u003e\n\u003cli\u003eThe attacker iterates through various SQL injection payloads, slowly extracting sensitive data such as usernames, password hashes, and other PII.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify database records to escalate privileges, create new administrative accounts, or sabotage the application\u0026rsquo;s functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen data.\u003c/li\u003e\n\u003cli\u003eThe final objective is to compromise the confidentiality, integrity, and availability of the ChurchCRM database, potentially leading to significant data breaches and reputational damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34402 can have serious consequences. An attacker can gain unauthorized access to sensitive data stored within the ChurchCRM database. This includes user credentials, PII, and configuration secrets. The attacker can also modify database records, potentially disrupting church operations or causing financial harm. Given the sensitive nature of the data often stored in church management systems, the impact of this vulnerability could be substantial. The vulnerability affects ChurchCRM installations prior to version 7.1.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ChurchCRM installations to version 7.1.0 or later to remediate CVE-2026-34402.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting requests to PropertyAssign.php with sleep commands to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting the \u003ccode\u003ePropertyAssign.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block SQL injection attempts.\u003c/li\u003e\n\u003cli\u003eReview user access controls within ChurchCRM to ensure that only authorized personnel have \u0026ldquo;Edit Records\u0026rdquo; or \u0026ldquo;Manage Groups\u0026rdquo; permissions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T16:16:35Z","date_published":"2026-04-06T16:16:35Z","id":"/briefs/2026-04-churchcrm-sql-injection/","summary":"CVE-2026-34402 is a time-based blind SQL injection vulnerability in ChurchCRM versions prior to 7.1.0. Authenticated users with Edit Records or Manage Groups permissions can exploit the PropertyAssign.php endpoint to exfiltrate or modify database content, including user credentials, PII, and configuration secrets.","title":"ChurchCRM Time-Based Blind SQL Injection Vulnerability (CVE-2026-34402)","url":"https://feed.craftedsignal.io/briefs/2026-04-churchcrm-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Churchcrm","version":"https://jsonfeed.org/version/1.1"}