ChurchCRM
CVE-2025-11939
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was determined in ChurchCRM up to 5.18.0. This issue affects some unknown processing of the file src/ChurchCRM/Backup/RestoreJob.php of the component Backup Restore Handler. Executing a manipulation of the argument restoreFile can lead to path traversal. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Path traversal in ChurchCRM's Backup Restore Handler allows high-privileged remote attackers to manipulate the restoreFile argument and access arbitrary files on the system. The vulnerability affects ChurchCRM up to version 5.18.0, requires administrative privileges (PR:H), and has publicly available exploit code. While CVSS score is low (2.0) due to privilege requirements, the limited scope impact and vendor non-response elevate practical risk for deployments with exposed admin interfaces.
Technical ContextAI
The vulnerability exists in src/ChurchCRM/Backup/RestoreJob.php, a PHP component handling backup restoration operations. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) indicates insufficient input validation on the restoreFile parameter. Without proper path canonicalization or allowlist enforcement, attackers can inject path traversal sequences (e.g., '../../../') to read or manipulate files outside the intended backup directory. This is exacerbated in PHP environments where built-in functions like file_get_contents() or include() may be vulnerable to such manipulation if not properly sanitized.
RemediationAI
No vendor-released patch identified at time of analysis; the vendor did not respond to early disclosure. Immediately restrict administrative access to ChurchCRM by implementing network segmentation (firewall rules limiting access to internal networks only), require multi-factor authentication for admin accounts, and disable or restrict the Backup Restore functionality if not actively used. Monitor access logs to src/ChurchCRM/Backup/RestoreJob.php and restoreFile parameter usage for suspicious path traversal patterns. If upgrading to a patched version becomes available, apply it immediately. Until a fix is released, consider running ChurchCRM in a containerized environment with read-only filesystems and minimal permissions to reduce file-access impact from path traversal exploitation.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today