{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-40484/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-40484"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ChurchCRM"],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-40484","ChurchCRM","Remote Code Execution","Web Shell","CSRF"],"_cs_type":"advisory","_cs_vendors":["ChurchCRM"],"content_html":"\u003cp\u003eChurchCRM, an open-source church management system, is susceptible to remote code execution (RCE) in versions prior to 7.2.0. This vulnerability stems from the insecure handling of database backup restoration. Specifically, the \u003ccode\u003erecursiveCopyDirectory()\u003c/code\u003e function fails to adequately filter file extensions when extracting uploaded archive contents from the \u003ccode\u003eImages/\u003c/code\u003e directory, copying files into the web-accessible document root. An authenticated administrator can exploit this by uploading a malicious backup archive containing a PHP webshell. Due to the lack of file extension filtering, this webshell is written to a publicly accessible path, enabling attackers to execute arbitrary code on the server as the web server user via HTTP requests. The absence of CSRF token validation on the restore endpoint further exacerbates the issue, enabling cross-site request forgery (CSRF) attacks against authenticated administrators. This vulnerability is identified as CVE-2026-40484.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains valid administrator credentials to the ChurchCRM application.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious backup archive containing a PHP webshell file (e.g., \u003ccode\u003eshell.php\u003c/code\u003e) within an \u003ccode\u003eImages/\u003c/code\u003e directory structure.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the crafted backup archive through the ChurchCRM administrative interface using the database backup restore functionality.\u003c/li\u003e\n\u003cli\u003eThe application's \u003ccode\u003erecursiveCopyDirectory()\u003c/code\u003e function extracts the archive contents without proper file extension filtering.\u003c/li\u003e\n\u003cli\u003eThe PHP webshell file (e.g., \u003ccode\u003eshell.php\u003c/code\u003e) is copied from the \u003ccode\u003eImages/\u003c/code\u003e directory within the archive to a publicly accessible directory in the web server's document root.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the lack of CSRF protection in the restore endpoint, possibly by tricking an administrator into triggering the restore via a malicious link or website.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the uploaded PHP webshell (e.g., \u003ccode\u003ehttp://churchcrm.example.com/Images/shell.php?cmd=whoami\u003c/code\u003e) to execute arbitrary code on the server.\u003c/li\u003e\n\u003cli\u003eThe web server executes the PHP code, granting the attacker remote code execution capabilities as the web server user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the ChurchCRM server with the privileges of the web server user. This could lead to complete compromise of the server, data exfiltration (including sensitive church member data), defacement of the website, or further lateral movement within the network. Given the sensitive nature of data typically stored in church management systems, the impact can be severe.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ChurchCRM to version 7.2.0 or later to patch CVE-2026-40484 immediately.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to detect and block requests to potentially malicious PHP files uploaded to the \u003ccode\u003eImages/\u003c/code\u003e directory, specifically targeting HTTP requests with suspicious parameters like \u003ccode\u003ecmd=\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting suspicious PHP file creation in web directories to identify potential webshell uploads.\u003c/li\u003e\n\u003cli\u003eEnable logging for web server access and error logs and monitor for unusual activity, especially related to the \u003ccode\u003eImages/\u003c/code\u003e directory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-churchcrm-rce/","summary":"ChurchCRM versions before 7.2.0 are vulnerable to remote code execution (RCE) due to insufficient file extension filtering during database backup restoration, allowing an authenticated administrator to upload a crafted archive containing a PHP webshell that can be executed via HTTP requests.","title":"ChurchCRM Remote Code Execution via Backup Restore Vulnerability (CVE-2026-40484)","url":"https://feed.craftedsignal.io/briefs/2024-01-09-churchcrm-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - CVE-2026-40484","version":"https://jsonfeed.org/version/1.1"}