EUVD-2026-19841
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property type categories (People → Person Properties / Family Properties). The vulnerability was introduced when legacyFilterInput() which both strips HTML and escapes SQL - was replaced with sanitizeText(), which strips HTML only. User-supplied values from the Name and Description fields are concatenated directly into raw INSERT and UPDATE queries with no SQL escaping. This allows any authenticated user with the MenuOptions role (a non-admin staff permission) to perform time-based blind injection and exfiltrate any data from the database, including password hashes of all users. This vulnerability is fixed in 7.1.0.
Analysis
SQL injection in ChurchCRM's PropertyTypeEditor.php allows authenticated users with MenuOptions role permission to exfiltrate database contents including password hashes. The vulnerability stems from replacing SQL-escaping function legacyFilterInput() with sanitizeText() which only strips HTML, leaving Name and Description fields in property type management vulnerable to time-based blind injection. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify and document all ChurchCRM instances in your environment and audit active user accounts with MenuOptions role permissions. Within 7 days: Restrict MenuOptions permission assignment to essential administrative personnel only, and implement database activity monitoring to detect suspicious SQL query patterns in PropertyTypeEditor.php access logs. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today