Plateforme
php
Composant
crm
Corrigé dans
6.5.4
CVE-2025-68112 describes a SQL injection vulnerability affecting ChurchCRM versions prior to 6.5.3. This flaw allows authenticated users to inject malicious SQL commands, potentially leading to complete database compromise and system takeover. The vulnerability impacts ChurchCRM installations running versions 6.5.3 and earlier, and a patch is available in version 6.5.3.
The SQL injection vulnerability in ChurchCRM presents a significant risk to church organizations utilizing the system. A successful exploit allows an attacker to bypass authentication and execute arbitrary SQL queries against the database. This can result in the exfiltration of sensitive member data, including personal information, contact details, and financial records. Attackers could also steal administrative credentials, granting them full control over the ChurchCRM instance and potentially the underlying server. The potential for data breach and system compromise is high, particularly given the sensitive nature of the data stored within ChurchCRM.
CVE-2025-68112 has been publicly disclosed and assigned a CRITICAL CVSS score of 9.6. As of the current date, there is no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept exploits are not yet widely available, but the ease of exploitation inherent in SQL injection vulnerabilities suggests that they are likely to emerge. The vulnerability was published on 2025-12-17.
Churches and religious organizations that utilize ChurchCRM for managing member data, events, and finances are at significant risk. Organizations with legacy ChurchCRM installations or those that have not implemented robust access controls are particularly vulnerable. Shared hosting environments where multiple ChurchCRM instances reside on the same server could also be affected, potentially impacting multiple organizations simultaneously.
• php: Examine ChurchCRM application logs for suspicious SQL queries or error messages related to database interactions.
grep -i 'error: syntax' /var/log/apache2/error.log• generic web: Monitor access logs for unusual requests targeting the Event Attendee Editor endpoint.
curl -I http://your-churchcrm-instance/event_attendee_editor.php?id=1' UNION SELECT 1,2,3 -- -• database (mysql): Check the MySQL audit logs for unauthorized SQL queries or modifications to the database schema.
SELECT * FROM mysql.general_log WHERE command_type = 'Query' AND user = 'your_database_user';disclosure
Statut de l'Exploit
EPSS
0.07% (percentile 22%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-68112 is to immediately upgrade ChurchCRM to version 6.5.3 or later, which includes a patch for the SQL injection vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the Event Attendee Editor to authorized personnel only. Web application firewalls (WAFs) configured with rules to detect and block SQL injection attempts can provide an additional layer of defense. After upgrading, confirm the fix by attempting to inject a simple SQL query through the Event Attendee Editor and verifying that it is properly sanitized and does not execute.
Actualice ChurchCRM a la versión 6.5.3 o superior. Esta versión contiene una corrección para la vulnerabilidad de inyección SQL. Se recomienda realizar una copia de seguridad de la base de datos antes de la actualización.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-68112 is a critical SQL injection vulnerability in ChurchCRM versions prior to 6.5.3, allowing attackers to execute arbitrary SQL commands and potentially compromise the entire database.
You are affected if you are running ChurchCRM version 6.5.3 or earlier. Immediately check your version and upgrade if necessary.
Upgrade ChurchCRM to version 6.5.3 or later. If immediate upgrade is not possible, restrict access to the Event Attendee Editor and consider using a WAF.
While there is no confirmed active exploitation at this time, the ease of exploitation suggests it is likely to be targeted. Proactive patching is crucial.
Refer to the official ChurchCRM security advisory on their website or GitHub repository for the latest information and patch details.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.