ChurchCRM
CVE-2025-11938
LOW
Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing a manipulation of the argument DB_PASSWORD/ROOT_PATH/URL results in deserialization. The attack may be initiated remotely. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Unsafe deserialization in ChurchCRM setup/routes/setup.php allows remote attackers to manipulate DB_PASSWORD, ROOT_PATH, or URL parameters, leading to arbitrary code execution with limited impact. The vulnerability affects versions up to 5.18.0 and has publicly available exploit code, though EPSS exploitation probability remains low at 0.10% percentile, suggesting real-world exploitation is constrained by high attack complexity and difficult exploitability factors.
Technical ContextAI
ChurchCRM is a PHP-based church management system. The vulnerability resides in the setup.php route handler, which deserializes user-controlled input from configuration parameters without proper validation (CWE-20: Improper Input Validation). PHP's unserialize() function, when applied to untrusted data, can trigger object injection attacks if the codebase contains exploitable magic methods (__wakeup, __destruct) in instantiated classes. The attack vector is network-based, targeting the setup endpoint during or after application initialization. The deserialization occurs when processing DB_PASSWORD, ROOT_PATH, or URL arguments, which are typically used for initial database configuration.
RemediationAI
Immediately upgrade ChurchCRM to the latest available version beyond 5.18.0 if available from the project repository. If no patched version has been released (vendor non-response suggests possible project abandonment), implement these compensating controls: (1) Remove or rename setup/routes/setup.php after initial deployment to prevent post-installation access-this is the primary mitigation with minimal side effects, as setup typically runs only once; (2) Restrict access to setup/ directory via web server configuration (nginx/Apache .htaccess or web.config) to localhost or specific administrative IPs, preventing remote exploitation but complicating legitimate remote setup scenarios; (3) Implement input validation in setup.php to reject serialized PHP objects in configuration parameters, or disable PHP's auto_prepend_file and auto_append_file settings if they could load malicious serialized data. Monitor vendor repositories (GitHub, official website) for security patches, as vendor non-responsiveness may indicate the project is no longer actively maintained.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today