Churchcrm — CraftedSignal Threat Feed

ChurchCRM Stored XSS Vulnerability in Person Property Management

hello@craftedsignal.io — Wed, 08 Apr 2026 12:00:00 +0000

ChurchCRM, an open-source church management system, is vulnerable to a stored cross-site scripting (XSS) attack affecting versions prior to 7.0.0. This vulnerability resides within the Person Property Management subsystem and stems from insufficient input sanitization when handling dynamically assigned person properties. An authenticated attacker can inject malicious JavaScript code, which is then persistently stored in the database. When other users view the compromised person’s profile or access the printable view of that profile, the injected script executes, potentially leading to session hijacking or complete account takeover. This issue impacts versions patched for CVE-2023-38766, highlighting a persistent weakness. Organizations using vulnerable versions of ChurchCRM are at risk of unauthorized access and data breaches. Users are advised to update to version 7.0.0 or later to remediate this vulnerability.

Attack Chain

Attacker authenticates to ChurchCRM with valid user credentials.
Attacker navigates to the Person Property Management section.
Attacker creates or modifies a dynamically assigned person property, injecting malicious JavaScript code into a property field. Example payload: .
The application stores the malicious payload in the database without proper sanitization.
A different user views the profile of the person with the compromised property.
The stored XSS payload is rendered within the user’s browser, executing the injected JavaScript code.
The attacker’s JavaScript code steals the user’s session cookie or redirects the user to a phishing page.
The attacker uses the stolen session cookie to hijack the user’s session and gain unauthorized access to the application, potentially escalating privileges and accessing sensitive data.

Impact

Successful exploitation of this stored XSS vulnerability can lead to session hijacking and full account compromise. Attackers could gain unauthorized access to sensitive church member data, modify records, or perform administrative functions within the ChurchCRM system. The impact ranges from data theft and privacy breaches to complete disruption of church management operations. Given the potential for widespread access to sensitive personal information, organizations are strongly advised to apply the necessary updates to mitigate this risk. The CVSS v3.1 base score for this vulnerability is 8.7, indicating a high severity.

Recommendation

Upgrade ChurchCRM to version 7.0.0 or later to patch the vulnerability (CVE-2026-35576).
Deploy the provided Sigma rule to detect potential XSS attempts via crafted property values.
Review and audit existing dynamically assigned person properties for suspicious script tags to identify potentially compromised records.
Implement input validation and output encoding to prevent future XSS vulnerabilities in ChurchCRM.

ChurchCRM Pre-Authentication Remote Code Execution Vulnerability (CVE-2026-39337)

hello@craftedsignal.io — Tue, 07 Apr 2026 18:16:45 +0000

ChurchCRM, an open-source church management system, is vulnerable to a critical pre-authentication remote code execution (RCE) flaw, identified as CVE-2026-39337. This vulnerability affects versions prior to 7.1.0. Unauthenticated attackers can exploit the setup wizard during the initial installation process to inject arbitrary PHP code, leading to complete server compromise. The root cause lies in the insufficient sanitization of the “$dbPassword” variable. This vulnerability is a result of an incomplete fix for a previous vulnerability, CVE-2025-62521. Organizations using vulnerable versions of ChurchCRM are at risk of unauthorized access, data breaches, and complete system takeover. Upgrading to version 7.1.0 or later is strongly advised to mitigate this risk.

Attack Chain

An unauthenticated attacker sends a malicious HTTP request to the ChurchCRM setup wizard.
The malicious request injects arbitrary PHP code into the $dbPassword variable during the setup process.
Due to insufficient sanitization, the injected PHP code is written to the ChurchCRM configuration file.
The attacker triggers the execution of the configuration file, executing the injected PHP code.
The attacker gains arbitrary code execution on the web server.
The attacker escalates privileges to gain full control of the server.
The attacker installs a persistent backdoor for continued access.
The attacker may then exfiltrate sensitive data or deploy ransomware.

Impact

Successful exploitation of CVE-2026-39337 allows an unauthenticated attacker to achieve complete server compromise. This could result in the theft of sensitive church member data, modification or destruction of data, defacement of the ChurchCRM website, or use of the server as a platform for launching further attacks. Given the critical nature of the vulnerability and the ease of exploitation, organizations are at high risk. The number of potential victims is high considering the wide usage of this CRM.

Recommendation

Immediately upgrade ChurchCRM to version 7.1.0 or later to patch CVE-2026-39337.
Monitor web server logs for suspicious activity related to the ChurchCRM setup wizard. Deploy a Sigma rule to detect suspicious POST requests to the install endpoint.
Implement strong input validation and sanitization for all user-supplied data, especially during the installation process.
Review and harden the web server configuration to prevent unauthorized code execution.

ChurchCRM Authenticated API User Authorization Bypass (CVE-2026-39331)

hello@craftedsignal.io — Tue, 07 Apr 2026 18:16:44 +0000

ChurchCRM is an open-source church management system. Prior to version 7.1.0, a critical vulnerability exists (CVE-2026-39331) that allows authenticated API users to bypass authorization controls and modify family records without proper privileges. This is achieved by manipulating the {familyId} parameter in specific API requests. The vulnerability lies in the absence of role-based access control on several key API endpoints, including /family/{familyId}/verify, /family/{familyId}/verify/url, /family/{familyId}/verify/now, /family/{familyId}/activate/{status}, and /family/{familyId}/geocode. This allows attackers to deactivate/reactivate families, spam verification emails, mark families as verified, and trigger geocoding actions without the necessary permissions. This vulnerability poses a significant risk to the integrity and availability of ChurchCRM data, especially in multi-tenant environments. Upgrade to version 7.1.0 to remediate this vulnerability.

Attack Chain

An attacker authenticates to the ChurchCRM API with valid user credentials.
The attacker identifies a target familyId that they do not have explicit modification rights for.
The attacker crafts a malicious API request to one of the vulnerable endpoints: /family/{familyId}/verify, /family/{familyId}/verify/url, /family/{familyId}/verify/now, /family/{familyId}/activate/{status}, or /family/{familyId}/geocode.
The attacker replaces the {familyId} parameter in the request URL with the target familyId.
For example, the attacker sends a POST request to /family/123/activate/false to deactivate family with ID 123.
Due to the lack of role-based access control, the server processes the request without verifying if the attacker has the necessary EditRecords privilege.
The target family’s state is modified (e.g., deactivated, marked as verified).
The attacker repeats this process for other families and actions, potentially causing widespread disruption or data manipulation.

Impact

Successful exploitation of CVE-2026-39331 allows an attacker to escalate privileges and manipulate sensitive family data within ChurchCRM. This can lead to unauthorized deactivation of families, generation of spam verification emails, inaccurate family verification status, and resource exhaustion due to excessive geocoding requests. While specific victim counts are unknown, all ChurchCRM instances prior to version 7.1.0 are vulnerable. The consequences include reputational damage, data integrity issues, and potential disruption of church operations.

Recommendation

Immediately upgrade ChurchCRM to version 7.1.0 to patch CVE-2026-39331 and address the authorization bypass vulnerability.
Monitor web server logs for suspicious requests to the vulnerable API endpoints (/family/{familyId}/verify, /family/{familyId}/verify/url, /family/{familyId}/verify/now, /family/{familyId}/activate/{status}, /family/{familyId}/geocode) as detected by the Sigma rule “ChurchCRM Family ID Manipulation”.
Implement stricter input validation and role-based access controls on all API endpoints to prevent unauthorized data modification, especially those handling sensitive data like family records.
Review and audit existing ChurchCRM user permissions to identify and revoke any unnecessary privileges that could be exploited in conjunction with this vulnerability.

ChurchCRM Path Traversal Vulnerability Leading to Remote Code Execution

hello@craftedsignal.io — Tue, 07 Apr 2026 18:16:41 +0000

ChurchCRM, an open-source church management system, is vulnerable to a path traversal attack affecting versions prior to 6.5.3. This vulnerability resides in the backup restore functionality, specifically within src/ChurchCRM/Backup/RestoreJob.php. Authenticated administrators can exploit this flaw by manipulating the $rawUploadedFile['name'] parameter, which lacks proper sanitization. This allows for the upload of arbitrary files with attacker-controlled names to the /var/www/html/tmp_attach/ChurchCRMBackups/ directory. Successful exploitation leads to remote code execution via overwriting Apache’s .htaccess configuration files, effectively compromising the web server. Organizations using vulnerable versions of ChurchCRM are at risk of unauthorized access and control of their systems.

Attack Chain

An authenticated administrator logs into the ChurchCRM application.
The administrator navigates to the backup restore functionality.
The attacker crafts a malicious backup archive containing a crafted .htaccess file.
The attacker uploads the malicious backup archive via the restore functionality, exploiting the path traversal vulnerability in src/ChurchCRM/Backup/RestoreJob.php. The $rawUploadedFile['name'] parameter is manipulated to control the file’s destination.
The malicious .htaccess file is written to the web server’s document root or a sensitive directory, such as /var/www/html/.
The overwritten .htaccess file modifies the Apache web server’s configuration, potentially enabling PHP execution for arbitrary file types or redirecting requests to attacker-controlled scripts.
The attacker accesses a file (e.g., an image or text file) which is now parsed as PHP code due to the malicious .htaccess configuration.
The attacker executes arbitrary code on the server, gaining remote code execution.

Impact

Successful exploitation of this vulnerability allows attackers to gain complete control of the ChurchCRM web server. This can lead to data breaches, defacement of the website, and the potential to use the compromised server as a launchpad for further attacks within the network. Given the sensitive nature of data often stored in ChurchCRM systems (e.g., personal contact information, financial records), the compromise can have severe consequences for both the organization and its members. While the exact number of vulnerable installations is unknown, the widespread use of ChurchCRM makes this a significant threat.

Recommendation

Upgrade ChurchCRM to version 6.5.3 or later to patch the vulnerability described in CVE-2026-35573.
Implement strict file upload validation and sanitization to prevent path traversal vulnerabilities in other web applications.
Monitor web server logs for suspicious file uploads to /var/www/html/tmp_attach/ChurchCRMBackups/ directory, looking for unexpected file extensions using the “ChurchCRM Suspicious File Upload” Sigma rule.
Implement the “ChurchCRM .htaccess File Creation” Sigma rule to detect the creation of .htaccess files in web directories.

ChurchCRM SQL Injection Vulnerability (CVE-2026-35567)

hello@craftedsignal.io — Tue, 07 Apr 2026 16:16:29 +0000

ChurchCRM, an open-source church management system, is susceptible to SQL injection attacks in versions prior to 7.1.0. The vulnerability, identified as CVE-2026-35567, resides in the src/MemberRoleChange.php file, specifically within the NewRole POST parameter. Exploitation requires an attacker to have an authenticated session with the ManageGroups role, along with knowledge of valid GroupID and PersonID values, which can be obtained from the GroupView or PersonView pages. Successful exploitation can lead to unauthorized data access, modification, or deletion within the ChurchCRM database. The vulnerability is resolved in ChurchCRM version 7.1.0.

Attack Chain

Attacker gains authenticated access to ChurchCRM with a user account possessing the ManageGroups role.
Attacker identifies valid GroupID and PersonID values by browsing the GroupView or PersonView pages.
Attacker crafts a malicious HTTP POST request targeting src/MemberRoleChange.php.
The POST request includes the NewRole parameter containing a crafted SQL injection payload, exploiting the lack of proper integer validation.
The application executes the SQL query incorporating the injected payload.
The attacker retrieves sensitive data from the database, modifies existing data, or injects malicious data.
The attacker could leverage the SQL injection to create a new administrative user.
The attacker uses the new administrative account to take complete control of the ChurchCRM instance.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-35567) in ChurchCRM can result in the complete compromise of the application’s database. An attacker can gain unauthorized access to sensitive church member data, including personally identifiable information (PII). This can lead to data breaches, identity theft, and financial fraud. Malicious actors could also modify or delete data, disrupting church operations and potentially causing reputational damage. The impact is critical, especially considering the sensitive nature of the data managed by ChurchCRM.

Recommendation

Upgrade ChurchCRM installations to version 7.1.0 or later to remediate the SQL injection vulnerability (CVE-2026-35567).
Deploy the provided Sigma rule to detect suspicious POST requests to src/MemberRoleChange.php containing potential SQL injection attempts.
Monitor web server logs for unusual activity related to MemberRoleChange.php, especially concerning the NewRole parameter (webserver log source).
Implement input validation and sanitization measures for all user-supplied data, focusing on integer validation for parameters like NewRole.

ChurchCRM Time-Based Blind SQL Injection Vulnerability (CVE-2026-34402)

hello@craftedsignal.io — Mon, 06 Apr 2026 16:16:35 +0000

ChurchCRM is an open-source church management system. Prior to version 7.1.0, the application suffers from a time-based blind SQL injection vulnerability (CVE-2026-34402). Authenticated users with either “Edit Records” or “Manage Groups” permissions can exploit this flaw. Successful exploitation allows attackers to exfiltrate or modify any database content, which could include user credentials, personally identifiable information (PII), and configuration secrets. The vulnerable endpoint is PropertyAssign.php. This vulnerability was addressed and fixed in version 7.1.0 of ChurchCRM. Defenders should prioritize patching vulnerable instances to prevent unauthorized access and data breaches.

Attack Chain

An attacker gains valid credentials for ChurchCRM, with “Edit Records” or “Manage Groups” permissions. This could be achieved through credential stuffing, password reuse, or other means.
The attacker crafts a malicious HTTP request targeting the PropertyAssign.php endpoint. This request contains a SQL injection payload within a parameter processed by the application.
The application processes the malicious SQL query, injecting it into the database query without proper sanitization.
Due to the blind nature of the SQL injection, the attacker uses time-based techniques (e.g., SLEEP()) to infer information about the database structure and content.
The attacker iterates through various SQL injection payloads, slowly extracting sensitive data such as usernames, password hashes, and other PII.
The attacker may modify database records to escalate privileges, create new administrative accounts, or sabotage the application’s functionality.
The attacker exfiltrates the stolen data.
The final objective is to compromise the confidentiality, integrity, and availability of the ChurchCRM database, potentially leading to significant data breaches and reputational damage.

Impact

Successful exploitation of CVE-2026-34402 can have serious consequences. An attacker can gain unauthorized access to sensitive data stored within the ChurchCRM database. This includes user credentials, PII, and configuration secrets. The attacker can also modify database records, potentially disrupting church operations or causing financial harm. Given the sensitive nature of the data often stored in church management systems, the impact of this vulnerability could be substantial. The vulnerability affects ChurchCRM installations prior to version 7.1.0.

Recommendation

Upgrade ChurchCRM installations to version 7.1.0 or later to remediate CVE-2026-34402.
Deploy the Sigma rule detecting requests to PropertyAssign.php with sleep commands to your SIEM and tune for your environment.
Monitor web server logs for suspicious activity targeting the PropertyAssign.php endpoint.
Implement web application firewall (WAF) rules to block SQL injection attempts.
Review user access controls within ChurchCRM to ensure that only authorized personnel have “Edit Records” or “Manage Groups” permissions.