Tag
ChurchCRM versions prior to 7.1.0 are vulnerable to SQL injection via the NewRole POST parameter, allowing authenticated users with the ManageGroups role to execute arbitrary SQL commands.