{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-40581/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-40581"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ChurchCRM"],"_cs_severities":["high"],"_cs_tags":["CVE-2026-40581","csrf","churchcrm","data-deletion"],"_cs_type":"advisory","_cs_vendors":["ChurchCRM"],"content_html":"\u003cp\u003eChurchCRM, an open-source church management system, is susceptible to a critical Cross-Site Request Forgery (CSRF) vulnerability in versions prior to 7.2.0. Specifically, the family record deletion endpoint (SelectDelete.php) lacks CSRF token validation. This allows an attacker to craft a malicious web page that, when visited by an authenticated ChurchCRM administrator, will silently trigger the deletion of family records. The scope of this vulnerability extends to all associated data, including notes, pledges, persons, and property information. Successful exploitation results in irreversible data loss without user confirmation. Users are advised to upgrade to version 7.2.0 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable ChurchCRM instance running a version prior to 7.2.0.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTML page containing an \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;iframe\u0026gt;\u003c/code\u003e tag that makes a GET request to \u003ccode\u003eSelectDelete.php\u003c/code\u003e with the ID of the target family record.  The URL looks like: \u003ccode\u003ehttps://example.com/ChurchCRM/FamilyView.php?FamilyID=123\u0026amp;Action=Delete\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker social engineers an authenticated ChurchCRM administrator into visiting the malicious HTML page (e.g., via phishing or embedding the page on a compromised website).\u003c/li\u003e\n\u003cli\u003eThe administrator's browser automatically sends the GET request to \u003ccode\u003eSelectDelete.php\u003c/code\u003e along with the administrator's valid session cookies.\u003c/li\u003e\n\u003cli\u003eThe ChurchCRM server, lacking CSRF protection, processes the request and deletes the specified family record and all associated data.\u003c/li\u003e\n\u003cli\u003eThe targeted family record, along with associated notes, pledges, persons, and property data, is permanently and irreversibly deleted from the ChurchCRM database.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves the objective of data deletion and potential disruption of church management operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful CSRF attack against ChurchCRM can result in the permanent and irreversible deletion of sensitive family records and associated data, potentially affecting hundreds or thousands of individuals depending on the size of the church and its record-keeping practices. This data loss can disrupt church operations, damage relationships with members, and lead to legal or regulatory compliance issues depending on the nature of the stored data. The lack of user interaction required for this exploit makes it particularly dangerous as administrators may be unaware that data is being deleted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ChurchCRM to version 7.2.0 or later to patch the CSRF vulnerability in \u003ccode\u003eSelectDelete.php\u003c/code\u003e (see Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious requests to \u003ccode\u003eSelectDelete.php\u003c/code\u003e (see Rules).\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block requests to \u003ccode\u003eSelectDelete.php\u003c/code\u003e that lack a valid CSRF token, if possible.\u003c/li\u003e\n\u003cli\u003eEducate ChurchCRM administrators about the risks of CSRF attacks and the importance of avoiding suspicious links or websites.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-churchcrm-csrf/","summary":"ChurchCRM versions prior to 7.2.0 are vulnerable to a CSRF attack on the family record deletion endpoint allowing an attacker to trigger deletion of family records by enticing an authenticated administrator to visit a malicious page.","title":"ChurchCRM \u003c 7.2.0 Family Record Deletion CSRF Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-churchcrm-csrf/"}],"language":"en","title":"CraftedSignal Threat Feed - CVE-2026-40581","version":"https://jsonfeed.org/version/1.1"}