Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
ChurchCRM is an open-source church management system. Prior to 7.1.0, authenticated users with Edit Records or Manage Groups permissions can exploit a time-based blind SQL injection vulnerability in the PropertyAssign.php endpoint to exfiltrate or modify any database content, including user credentials, personal identifiable information (PII), and configuration secrets. This vulnerability is fixed in 7.1.0.
AnalysisAI
Time-based blind SQL injection in ChurchCRM versions prior to 7.1.0 allows authenticated users with Edit Records or Manage Groups permissions to exfiltrate or modify database content including credentials, PII, and configuration secrets via the PropertyAssign.php endpoint. Attack requires low-privilege authentication (PR:L) but enables high confidentiality and integrity impact through database manipulation. No public exploit identified at time of analysis, though EPSS data was not provided. CVSS 8.1 reflects network-accessible exploitation with low complexity requiring only basic user privileges.
Technical ContextAI
This vulnerability represents a classic CWE-89 SQL injection flaw in a PHP-based application. ChurchCRM is an open-source church management system built on PHP that manages member records, donations, groups, and other church administrative functions. The vulnerability resides in the PropertyAssign.php endpoint, which likely handles property or attribute assignment operations for church members or groups. Time-based blind SQL injection is particularly dangerous as it allows attackers to infer database content through timing responses even when direct error messages or data output is not available. By injecting carefully crafted SQL payloads with time delays (such as SLEEP() or WAITFOR functions), attackers can extract information bit-by-bit by measuring response times. The affected CPE (cpe:2.3:a:churchcrm:crm) indicates this impacts the core ChurchCRM application, and the requirement for Edit Records or Manage Groups permissions suggests the vulnerable code path is accessed through privileged administrative functions rather than public-facing interfaces.
RemediationAI
Organizations running ChurchCRM must upgrade to version 7.1.0 or later to remediate this SQL injection vulnerability. The vendor-released patch version 7.1.0 addresses the time-based blind SQL injection in PropertyAssign.php through proper input validation and parameterized query implementation. Download the patched release from the official ChurchCRM GitHub repository and follow standard upgrade procedures including database backups before migration. As an interim mitigation for environments unable to immediately upgrade, consider restricting Edit Records and Manage Groups permissions to only essential trusted administrators, implementing web application firewall rules to detect SQL injection patterns in requests to PropertyAssign.php, and enabling comprehensive query logging to detect exploitation attempts characterized by unusual timing delays. Review database access logs for any suspicious activity patterns from accounts with these permissions prior to patching. Consult the GitHub Security Advisory at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r57q-r5v3-v5h8 for additional vendor guidance and migration notes.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19345