PHP
CVE-2026-40484
CRITICAL
Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory(), which performs no file extension filtering. An authenticated administrator can upload a crafted backup archive containing a PHP webshell inside the Images/ directory, which is then written to a publicly accessible path and executable via HTTP requests, resulting in remote code execution as the web server user. The restore endpoint also lacks CSRF token validation, enabling exploitation through cross-site request forgery targeting an authenticated administrator. This issue has been fixed in version 7.2.0.
AnalysisAI
Remote code execution in ChurchCRM <7.2.0 allows authenticated administrators to upload PHP webshells through the database backup restore function, which copies files from archive Images/ directories to web-accessible paths without extension filtering. The vulnerability includes a CSRF bypass enabling forced exploitation through cross-site request forgery. Exploitation requires high privileges (administrator account) but is network-accessible with low complexity (CVSS:3.1/AV:N/AC:L/PR:H). No active exploitation confirmed (not in CISA KEV). Vendor-released fix available in version 7.2.0 via GitHub PR #8610 and commit 68be1d12.
Technical ContextAI
ChurchCRM is a PHP-based church management system providing database backup and restore capabilities. The vulnerability stems from the recursiveCopyDirectory() function used during backup restoration, which performs file copying operations from uploaded archives to the web server's document root without validating file extensions or MIME types. This represents CWE-269 (Improper Privilege Management) where administrative privileges are insufficient to prevent dangerous operations. The restore endpoint processes ZIP/archive files containing an Images/ directory structure, extracting and copying contents directly into publicly accessible web paths. The lack of CSRF token validation on the restore endpoint creates a second attack vector, allowing attackers to force exploitation through social engineering against authenticated administrators. PHP execution in the web document root enables direct code execution as the web server process user (typically www-data, apache, or nginx).
Affected ProductsAI
ChurchCRM versions prior to 7.2.0 are affected. The vulnerability exists in the database backup restore functionality accessible to authenticated administrators. Specific affected versions are not enumerated in available data, but all versions before the 7.2.0 release should be considered vulnerable. The fix is tracked in GitHub pull request #8610 and commit 68be1d12bc4cc1429575ae797ef05efe47030d39. Vendor advisory available at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-2932-77f9-62fx provides additional context.
RemediationAI
Upgrade to ChurchCRM version 7.2.0 or later, which implements file extension filtering in the recursiveCopyDirectory() function and adds CSRF token validation to the restore endpoint per GitHub PR #8610 (https://github.com/ChurchCRM/CRM/pull/8610). For environments unable to upgrade immediately, implement compensating controls: (1) Restrict administrator account access to trusted IP ranges via web server configuration or firewall rules - reduces exposure to credential compromise but impacts legitimate remote administration; (2) Block PHP execution in the web document root's Images/ directory and all upload paths using web server configuration (Apache: php_flag engine off in .htaccess; Nginx: location directive denying .php files) - prevents webshell execution but may break legitimate image processing if server-side PHP thumbnailing is used; (3) Implement file upload restrictions at the web application firewall or reverse proxy layer to reject archives containing .php, .phtml, .php5 files - may cause false positives if legitimate backups contain PHP configuration files. Review existing backup archives for suspicious PHP files in Images/ directories. Audit administrator account activity logs for unexpected restore operations.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today