<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>CVE-2026-40484 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-40484/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-40484/feed.xml" rel="self" type="application/rss+xml"/><item><title>ChurchCRM Remote Code Execution via Backup Restore Vulnerability (CVE-2026-40484)</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-churchcrm-rce/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-churchcrm-rce/</guid><description>ChurchCRM versions before 7.2.0 are vulnerable to remote code execution (RCE) due to insufficient file extension filtering during database backup restoration, allowing an authenticated administrator to upload a crafted archive containing a PHP webshell that can be executed via HTTP requests.</description><content:encoded><![CDATA[<p>ChurchCRM, an open-source church management system, is susceptible to remote code execution (RCE) in versions prior to 7.2.0. This vulnerability stems from the insecure handling of database backup restoration. Specifically, the <code>recursiveCopyDirectory()</code> function fails to adequately filter file extensions when extracting uploaded archive contents from the <code>Images/</code> directory, copying files into the web-accessible document root. An authenticated administrator can exploit this by uploading a malicious backup archive containing a PHP webshell. Due to the lack of file extension filtering, this webshell is written to a publicly accessible path, enabling attackers to execute arbitrary code on the server as the web server user via HTTP requests. The absence of CSRF token validation on the restore endpoint further exacerbates the issue, enabling cross-site request forgery (CSRF) attacks against authenticated administrators. This vulnerability is identified as CVE-2026-40484.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains valid administrator credentials to the ChurchCRM application.</li>
<li>Attacker crafts a malicious backup archive containing a PHP webshell file (e.g., <code>shell.php</code>) within an <code>Images/</code> directory structure.</li>
<li>The attacker uploads the crafted backup archive through the ChurchCRM administrative interface using the database backup restore functionality.</li>
<li>The application's <code>recursiveCopyDirectory()</code> function extracts the archive contents without proper file extension filtering.</li>
<li>The PHP webshell file (e.g., <code>shell.php</code>) is copied from the <code>Images/</code> directory within the archive to a publicly accessible directory in the web server's document root.</li>
<li>The attacker leverages the lack of CSRF protection in the restore endpoint, possibly by tricking an administrator into triggering the restore via a malicious link or website.</li>
<li>The attacker sends an HTTP request to the uploaded PHP webshell (e.g., <code>http://churchcrm.example.com/Images/shell.php?cmd=whoami</code>) to execute arbitrary code on the server.</li>
<li>The web server executes the PHP code, granting the attacker remote code execution capabilities as the web server user.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the ChurchCRM server with the privileges of the web server user. This could lead to complete compromise of the server, data exfiltration (including sensitive church member data), defacement of the website, or further lateral movement within the network. Given the sensitive nature of data typically stored in church management systems, the impact can be severe.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade ChurchCRM to version 7.2.0 or later to patch CVE-2026-40484 immediately.</li>
<li>Implement a web application firewall (WAF) rule to detect and block requests to potentially malicious PHP files uploaded to the <code>Images/</code> directory, specifically targeting HTTP requests with suspicious parameters like <code>cmd=</code>.</li>
<li>Deploy the Sigma rule detecting suspicious PHP file creation in web directories to identify potential webshell uploads.</li>
<li>Enable logging for web server access and error logs and monitor for unusual activity, especially related to the <code>Images/</code> directory.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>CVE-2026-40484</category><category>ChurchCRM</category><category>Remote Code Execution</category><category>Web Shell</category><category>CSRF</category></item></channel></rss>