PHP
CVE-2026-40581
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An attacker can craft a malicious page that, when visited by an authenticated administrator, silently triggers deletion of targeted family records including associated notes, pledges, persons, and property data without any user interaction. This issue has been fixed in version 7.2.0.
AnalysisAI
Cross-Site Request Forgery (CSRF) in ChurchCRM versions before 7.2.0 allows remote attackers to permanently delete family records and all associated data (notes, pledges, persons, property) through the SelectDelete.php endpoint. The endpoint executes irreversible deletions via unauthenticated GET requests without CSRF token validation, requiring only that an authenticated administrator visit a malicious page. Attackers can weaponize this via phishing emails or malicious websites to trigger silent data destruction. Fixed in version 7.2.0 via PR #8613 and commit 3936162. No KEV listing or public POC identified at time of analysis, though exploitation is trivial given the simplicity of CSRF attacks against GET endpoints.
Technical ContextAI
ChurchCRM is a PHP-based open-source church management system. The vulnerability stems from CWE-352 (Cross-Site Request Forgery), a classic state-changing operation performed via GET request without anti-CSRF tokens. The SelectDelete.php endpoint accepts deletion commands through URL parameters alone, violating secure coding practices that mandate POST requests and unpredictable tokens for destructive operations. When a browser loads a resource (image tag, iframe, script) pointing to the vulnerable endpoint with crafted parameters, it automatically sends the administrator's session cookies, causing the server to authenticate and execute the deletion. This architectural flaw is common in legacy PHP applications predating widespread CSRF protection frameworks. The CVSS vector AV:N/AC:L/PR:N/UI:R indicates network-accessible exploitation with low complexity, requiring no authentication from the attacker (PR:N) but requiring user interaction (UI:R) - the victim admin must visit the malicious page while authenticated to ChurchCRM.
Affected ProductsAI
ChurchCRM versions prior to 7.2.0 are affected. ChurchCRM is a PHP-based church management system distributed via GitHub at ChurchCRM/CRM. The vulnerability exists in the SelectDelete.php endpoint responsible for family record deletion. The vendor advisory is available at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-6qxv-xw9j-77pj with technical details in pull request #8613.
RemediationAI
Upgrade to ChurchCRM version 7.2.0 or later, which implements CSRF token validation for the SelectDelete.php endpoint per commit 39361628613af7682b813f3e62a412559616d674 and pull request #8613 (https://github.com/ChurchCRM/CRM/pull/8613). For organizations unable to immediately upgrade, implement compensating controls: configure web application firewall (WAF) rules to block GET requests to SelectDelete.php (may break legitimate admin workflows if the application UI uses GET for deletion links), educate administrators to never click external links while logged into ChurchCRM (reduces social engineering success but relies on user behavior), or implement network-level restrictions allowing ChurchCRM access only from trusted IP ranges (limits exposure but impacts remote administration). Note that blocking GET requests will likely require application-level changes to use POST, making upgrade the only complete remediation. Review audit logs for suspicious deletion activity in family records between initial deployment and patching, though legitimate administrative deletions may be indistinguishable from CSRF-triggered ones without correlation to user activity timestamps.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today