EUVD-2026-19817
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, a second order SQL injection vulnerability was found in the endpoint /FundRaiserEditor.php in ChurchCRM. A user has to be authenticated but doesn't need any privileges. These users can inject arbitrary SQL statements through the iCurrentFundraiser PHP session parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.
Analysis
Second-order SQL injection in ChurchCRM FundRaiserEditor.php allows authenticated low-privilege users to extract and modify database contents remotely. All versions prior to 7.1.0 are affected. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all ChurchCRM installations and document current versions; restrict FundRaiserEditor.php access to administrative roles only via firewall or web application firewall rules. Within 7 days: Audit database access logs for suspicious queries from low-privilege accounts and review user account privileges to enforce least-privilege access. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today