Platform
php
Component
crm
Fixed in
6.5.4
CVE-2025-68112 describes a SQL injection vulnerability affecting ChurchCRM versions prior to 6.5.3. This flaw allows authenticated users to inject malicious SQL commands, potentially leading to complete database compromise and system takeover. The vulnerability impacts ChurchCRM installations running versions 6.5.3 and earlier, and a patch is available in version 6.5.3.
The SQL injection vulnerability in ChurchCRM presents a significant risk to church organizations utilizing the system. A successful exploit allows an attacker to bypass authentication and execute arbitrary SQL queries against the database. This can result in the exfiltration of sensitive member data, including personal information, contact details, and financial records. Attackers could also steal administrative credentials, granting them full control over the ChurchCRM instance and potentially the underlying server. The potential for data breach and system compromise is high, particularly given the sensitive nature of the data stored within ChurchCRM.
CVE-2025-68112 has been publicly disclosed and assigned a CRITICAL CVSS score of 9.6. As of the current date, there is no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept exploits are not yet widely available, but the ease of exploitation inherent in SQL injection vulnerabilities suggests that they are likely to emerge. The vulnerability was published on 2025-12-17.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-68112 is to immediately upgrade ChurchCRM to version 6.5.3 or later, which includes a patch for the SQL injection vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the Event Attendee Editor to authorized personnel only. Web application firewalls (WAFs) configured with rules to detect and block SQL injection attempts can provide an additional layer of defense. After upgrading, confirm the fix by attempting to inject a simple SQL query through the Event Attendee Editor and verifying that it is properly sanitized and does not execute.
Actualice ChurchCRM a la versión 6.5.3 o superior. Esta versión contiene una corrección para la vulnerabilidad de inyección SQL. Se recomienda realizar una copia de seguridad de la base de datos antes de la actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68112 is a critical SQL injection vulnerability in ChurchCRM versions prior to 6.5.3, allowing attackers to execute arbitrary SQL commands and potentially compromise the entire database.
You are affected if you are running ChurchCRM version 6.5.3 or earlier. Immediately check your version and upgrade if necessary.
Upgrade ChurchCRM to version 6.5.3 or later. If immediate upgrade is not possible, restrict access to the Event Attendee Editor and consider using a WAF.
While there is no confirmed active exploitation at this time, the ease of exploitation suggests it is likely to be targeted. Proactive patching is crucial.
Refer to the official ChurchCRM security advisory on their website or GitHub repository for the latest information and patch details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.