{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/churchcrm/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-39323"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ChurchCRM"],"_cs_severities":["critical"],"_cs_tags":["churchcrm","sql-injection","web-application"],"_cs_type":"advisory","_cs_vendors":["ChurchCRM"],"content_html":"\u003cp\u003eChurchCRM, an open-source church management system, is vulnerable to SQL injection in versions prior to 7.1.0. The vulnerability, identified as CVE-2026-39323, resides in the PropertyTypeEditor.php component. The root cause is the insufficient sanitization of the Name and Description POST parameters. These parameters are only processed with \u003ccode\u003estrip_tags()\u003c/code\u003e before being directly concatenated into SQL queries. An authenticated user with \u0026quot;Manage Properties\u0026quot; permission can exploit this by injecting malicious SQL code through these parameters. Successful exploitation allows the attacker to execute arbitrary SQL commands, giving them the ability to exfiltrate sensitive data, modify existing records, or delete critical information from the database. The injected data persists in the database and is reflected across multiple application pages without proper output encoding, amplifying the impact. Users of ChurchCRM are advised to upgrade to version 7.1.0 or later to remediate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the ChurchCRM application with an account that has the \u0026quot;Manage Properties\u0026quot; permission.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting \u003ccode\u003ePropertyTypeEditor.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request includes SQL injection payloads within the \u003ccode\u003eName\u003c/code\u003e and/or \u003ccode\u003eDescription\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePropertyTypeEditor.php\u003c/code\u003e script receives the POST request and applies \u003ccode\u003estrip_tags()\u003c/code\u003e to the \u003ccode\u003eName\u003c/code\u003e and \u003ccode\u003eDescription\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eThe sanitized, but still vulnerable, \u003ccode\u003eName\u003c/code\u003e and \u003ccode\u003eDescription\u003c/code\u003e parameters are concatenated directly into an SQL query without proper escaping or parameterization.\u003c/li\u003e\n\u003cli\u003eThe malicious SQL query is executed against the ChurchCRM database.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to manipulate database records, potentially exfiltrating sensitive data like user credentials, financial records, or personal information.\u003c/li\u003e\n\u003cli\u003eThe injected data persists in the database and gets reflected in other application pages, further compromising the application's integrity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-39323) in ChurchCRM can lead to severe consequences. An attacker can gain unauthorized access to sensitive data, including member information, financial records, and user credentials. The attacker could modify or delete critical data, disrupting church operations and potentially leading to financial losses. The number of organizations potentially affected is significant, as ChurchCRM is a widely used open-source solution for church management. The injected data will persist in the database and is reflected across multiple application pages without output encoding.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ChurchCRM to version 7.1.0 or later to patch the SQL injection vulnerability (CVE-2026-39323).\u003c/li\u003e\n\u003cli\u003eImplement input validation and parameterized queries to prevent SQL injection attacks in \u003ccode\u003ePropertyTypeEditor.php\u003c/code\u003e and other database interaction points within ChurchCRM.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potential exploitation attempts targeting \u003ccode\u003ePropertyTypeEditor.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for suspicious POST requests to \u003ccode\u003ePropertyTypeEditor.php\u003c/code\u003e (webserver log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-29-churchcrm-sqli/","summary":"A critical SQL injection vulnerability (CVE-2026-39323) in ChurchCRM versions prior to 7.1.0 allows authenticated users with 'Manage Properties' permission to execute arbitrary SQL commands via unsanitized POST parameters in PropertyTypeEditor.php, leading to potential data exfiltration, modification, or deletion.","title":"ChurchCRM SQL Injection Vulnerability in PropertyTypeEditor.php","url":"https://feed.craftedsignal.io/briefs/2024-01-29-churchcrm-sqli/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-40484"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ChurchCRM"],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-40484","ChurchCRM","Remote Code Execution","Web Shell","CSRF"],"_cs_type":"advisory","_cs_vendors":["ChurchCRM"],"content_html":"\u003cp\u003eChurchCRM, an open-source church management system, is susceptible to remote code execution (RCE) in versions prior to 7.2.0. This vulnerability stems from the insecure handling of database backup restoration. Specifically, the \u003ccode\u003erecursiveCopyDirectory()\u003c/code\u003e function fails to adequately filter file extensions when extracting uploaded archive contents from the \u003ccode\u003eImages/\u003c/code\u003e directory, copying files into the web-accessible document root. An authenticated administrator can exploit this by uploading a malicious backup archive containing a PHP webshell. Due to the lack of file extension filtering, this webshell is written to a publicly accessible path, enabling attackers to execute arbitrary code on the server as the web server user via HTTP requests. The absence of CSRF token validation on the restore endpoint further exacerbates the issue, enabling cross-site request forgery (CSRF) attacks against authenticated administrators. This vulnerability is identified as CVE-2026-40484.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains valid administrator credentials to the ChurchCRM application.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious backup archive containing a PHP webshell file (e.g., \u003ccode\u003eshell.php\u003c/code\u003e) within an \u003ccode\u003eImages/\u003c/code\u003e directory structure.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the crafted backup archive through the ChurchCRM administrative interface using the database backup restore functionality.\u003c/li\u003e\n\u003cli\u003eThe application's \u003ccode\u003erecursiveCopyDirectory()\u003c/code\u003e function extracts the archive contents without proper file extension filtering.\u003c/li\u003e\n\u003cli\u003eThe PHP webshell file (e.g., \u003ccode\u003eshell.php\u003c/code\u003e) is copied from the \u003ccode\u003eImages/\u003c/code\u003e directory within the archive to a publicly accessible directory in the web server's document root.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the lack of CSRF protection in the restore endpoint, possibly by tricking an administrator into triggering the restore via a malicious link or website.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the uploaded PHP webshell (e.g., \u003ccode\u003ehttp://churchcrm.example.com/Images/shell.php?cmd=whoami\u003c/code\u003e) to execute arbitrary code on the server.\u003c/li\u003e\n\u003cli\u003eThe web server executes the PHP code, granting the attacker remote code execution capabilities as the web server user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the ChurchCRM server with the privileges of the web server user. This could lead to complete compromise of the server, data exfiltration (including sensitive church member data), defacement of the website, or further lateral movement within the network. Given the sensitive nature of data typically stored in church management systems, the impact can be severe.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ChurchCRM to version 7.2.0 or later to patch CVE-2026-40484 immediately.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to detect and block requests to potentially malicious PHP files uploaded to the \u003ccode\u003eImages/\u003c/code\u003e directory, specifically targeting HTTP requests with suspicious parameters like \u003ccode\u003ecmd=\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting suspicious PHP file creation in web directories to identify potential webshell uploads.\u003c/li\u003e\n\u003cli\u003eEnable logging for web server access and error logs and monitor for unusual activity, especially related to the \u003ccode\u003eImages/\u003c/code\u003e directory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-churchcrm-rce/","summary":"ChurchCRM versions before 7.2.0 are vulnerable to remote code execution (RCE) due to insufficient file extension filtering during database backup restoration, allowing an authenticated administrator to upload a crafted archive containing a PHP webshell that can be executed via HTTP requests.","title":"ChurchCRM Remote Code Execution via Backup Restore Vulnerability (CVE-2026-40484)","url":"https://feed.craftedsignal.io/briefs/2024-01-09-churchcrm-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-40581"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ChurchCRM"],"_cs_severities":["high"],"_cs_tags":["CVE-2026-40581","csrf","churchcrm","data-deletion"],"_cs_type":"advisory","_cs_vendors":["ChurchCRM"],"content_html":"\u003cp\u003eChurchCRM, an open-source church management system, is susceptible to a critical Cross-Site Request Forgery (CSRF) vulnerability in versions prior to 7.2.0. Specifically, the family record deletion endpoint (SelectDelete.php) lacks CSRF token validation. This allows an attacker to craft a malicious web page that, when visited by an authenticated ChurchCRM administrator, will silently trigger the deletion of family records. The scope of this vulnerability extends to all associated data, including notes, pledges, persons, and property information. Successful exploitation results in irreversible data loss without user confirmation. Users are advised to upgrade to version 7.2.0 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable ChurchCRM instance running a version prior to 7.2.0.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTML page containing an \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;iframe\u0026gt;\u003c/code\u003e tag that makes a GET request to \u003ccode\u003eSelectDelete.php\u003c/code\u003e with the ID of the target family record.  The URL looks like: \u003ccode\u003ehttps://example.com/ChurchCRM/FamilyView.php?FamilyID=123\u0026amp;Action=Delete\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker social engineers an authenticated ChurchCRM administrator into visiting the malicious HTML page (e.g., via phishing or embedding the page on a compromised website).\u003c/li\u003e\n\u003cli\u003eThe administrator's browser automatically sends the GET request to \u003ccode\u003eSelectDelete.php\u003c/code\u003e along with the administrator's valid session cookies.\u003c/li\u003e\n\u003cli\u003eThe ChurchCRM server, lacking CSRF protection, processes the request and deletes the specified family record and all associated data.\u003c/li\u003e\n\u003cli\u003eThe targeted family record, along with associated notes, pledges, persons, and property data, is permanently and irreversibly deleted from the ChurchCRM database.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves the objective of data deletion and potential disruption of church management operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful CSRF attack against ChurchCRM can result in the permanent and irreversible deletion of sensitive family records and associated data, potentially affecting hundreds or thousands of individuals depending on the size of the church and its record-keeping practices. This data loss can disrupt church operations, damage relationships with members, and lead to legal or regulatory compliance issues depending on the nature of the stored data. The lack of user interaction required for this exploit makes it particularly dangerous as administrators may be unaware that data is being deleted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ChurchCRM to version 7.2.0 or later to patch the CSRF vulnerability in \u003ccode\u003eSelectDelete.php\u003c/code\u003e (see Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious requests to \u003ccode\u003eSelectDelete.php\u003c/code\u003e (see Rules).\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block requests to \u003ccode\u003eSelectDelete.php\u003c/code\u003e that lack a valid CSRF token, if possible.\u003c/li\u003e\n\u003cli\u003eEducate ChurchCRM administrators about the risks of CSRF attacks and the importance of avoiding suspicious links or websites.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-churchcrm-csrf/","summary":"ChurchCRM versions prior to 7.2.0 are vulnerable to a CSRF attack on the family record deletion endpoint allowing an attacker to trigger deletion of family records by enticing an authenticated administrator to visit a malicious page.","title":"ChurchCRM \u003c 7.2.0 Family Record Deletion CSRF Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-churchcrm-csrf/"}],"language":"en","title":"CraftedSignal Threat Feed - ChurchCRM","version":"https://jsonfeed.org/version/1.1"}