Attack Chain

1. Attacker gains authenticated access to ChurchCRM with a user account possessing the ManageGroups role.
2. Attacker identifies valid GroupID and PersonID values by browsing the GroupView or PersonView pages.
3. Attacker crafts a malicious HTTP POST request targeting src/MemberRoleChange.php.
4. The POST request includes the NewRole parameter containing a crafted SQL injection payload, exploiting the lack of proper integer validation.
5. The application executes the SQL query incorporating the injected payload.
6. The attacker retrieves sensitive data from the database, modifies existing data, or injects malicious data.
7. The attacker could leverage the SQL injection to create a new administrative user.
8. The attacker uses the new administrative account to take complete control of the ChurchCRM instance.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-35567) in ChurchCRM can result in the complete compromise of the application’s database. An attacker can gain unauthorized access to sensitive church member data, including personally identifiable information (PII). This can lead to data breaches, identity theft, and financial fraud. Malicious actors could also modify or delete data, disrupting church operations and potentially causing reputational damage. The impact is critical, especially considering the sensitive nature of the data managed by ChurchCRM.

Recommendation

• Upgrade ChurchCRM installations to version 7.1.0 or later to remediate the SQL injection vulnerability (CVE-2026-35567).
• Deploy the provided Sigma rule to detect suspicious POST requests to src/MemberRoleChange.php containing potential SQL injection attempts.
• Monitor web server logs for unusual activity related to MemberRoleChange.php, especially concerning the NewRole parameter (webserver log source).
• Implement input validation and sanitization measures for all user-supplied data, focusing on integer validation for parameters like NewRole.