CVE-2025-1135 in ChurchCRM
Summary
by MITRE • 02/19/2025
A vulnerability exists in ChurchCRM 5.13.0. and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the BatchWinnerEntry functionality. The CurrentFundraiser parameter is directly concatenated into an SQL query without sufficient sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion. Please note the vulnerability requires Administrator privileges.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/19/2025
The vulnerability identified as CVE-2025-1135 represents a critical security flaw within ChurchCRM version 5.13.0 and earlier installations, specifically targeting the BatchWinnerEntry functionality. This issue manifests as a boolean-based and time-based blind SQL injection vulnerability that fundamentally compromises the database integrity of affected systems. The vulnerability stems from improper input validation and sanitization practices within the application's codebase, where the CurrentFundraiser parameter is directly concatenated into SQL queries without adequate protection mechanisms. Such implementation flaws create an exploitable attack surface that allows malicious actors to manipulate database operations through carefully crafted input sequences.
The technical exploitation of this vulnerability requires an attacker to possess administrator privileges, which significantly limits the attack vector but does not eliminate the severity of the issue. The boolean-based and time-based blind SQL injection techniques enable attackers to infer database contents and structure through response timing variations and conditional responses. This approach allows for the systematic extraction of sensitive data without direct query output, making detection more challenging for security monitoring systems. The vulnerability's impact extends beyond simple data theft, as it provides attackers with the capability to modify or delete database records, potentially compromising the entire ChurchCRM installation's data integrity and availability.
From an operational perspective, this vulnerability poses significant risks to organizations relying on ChurchCRM for their administrative and fundraising operations. The potential for data exfiltration includes sensitive donor information, financial records, and personal data that could be exploited for identity theft or financial fraud. The requirement for administrator privileges does not mitigate the damage potential, as gaining administrative access often represents a substantial compromise of organizational security. The vulnerability's presence in the BatchWinnerEntry functionality suggests that fundraising campaigns and donor management systems could be directly targeted, potentially affecting an organization's ability to conduct business operations.
Organizations must implement immediate mitigations including upgrading to patched versions of ChurchCRM, implementing proper input validation and parameterized queries, and conducting comprehensive security assessments of their database configurations. The vulnerability aligns with CWE-89 which specifically addresses SQL injection flaws, and represents a clear violation of secure coding practices outlined in the OWASP Top Ten. Defense-in-depth strategies should include database query auditing, network segmentation, and privileged access monitoring to detect potential exploitation attempts. Additionally, organizations should consider implementing web application firewalls and database activity monitoring solutions to provide additional layers of protection against similar vulnerabilities that may exist in other application components.
The ATT&CK framework categorizes this vulnerability under the T1190 technique for exploit public-facing application, while the privilege escalation aspect relates to T1078 for valid accounts and T1566 for phishing with malicious attachments or links. Organizations should also consider the broader implications for their security posture, as this vulnerability demonstrates the importance of regular security updates, proper code review processes, and comprehensive vulnerability management programs. The incident highlights the critical need for organizations to maintain current security patches and to implement robust input validation mechanisms across all application functionalities, particularly those handling sensitive data and administrative operations.