EUVD-2026-19808CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, the GroupPropsFormRowOps.php file contains a SQL injection vulnerability. User input in the Field parameter is directly inserted into SQL queries without proper sanitization. The mysqli_real_escape_string() function does not escape backtick characters, allowing attackers to break out of SQL identifier context and execute arbitrary SQL statements. This vulnerability is fixed in 7.1.0.
Analysis
SQL injection in ChurchCRM GroupPropsFormRowOps.php allows authenticated attackers to execute arbitrary SQL commands and extract, modify, or destroy database contents. The Field parameter accepts unsanitized user input that is inserted directly into SQL queries; while mysqli_real_escape_string() is applied, it fails to escape backtick characters, enabling attackers to break out of SQL identifier context. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Confirm ChurchCRM version currently deployed and identify all instances across infrastructure. Within 7 days: Upgrade to ChurchCRM 7.1.0 or later when available; if unavailable, restrict SQL-capable user account permissions to essential administrators only and implement network segmentation limiting GroupPropsFormRowOps.php access. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today