CVE-2025-66396 in ChurchCRM
Summary
by MITRE • 12/17/2025
ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/UserEditor.php` file. When an administrator saves a user's configuration settings, the keys of the `type` POST parameter array are not properly sanitized or type-casted before being used in multiple SQL queries. This allows a malicious or compromised administrator account to execute arbitrary SQL commands, including time-based blind SQL injection attacks, to directly interact with the database. The vulnerability is located in `src/UserEditor.php` within the logic that handles saving user-specific configuration settings. The `type` parameter from the POST request is processed as an array. The code iterates through this array and uses `key($type)` to extract the array key, which is expected to be a numeric ID. This key is then assigned to the `$id` variable. The `$id` variable is subsequently concatenated directly into a `SELECT` and an `UPDATE` SQL query without any sanitization or validation, making it an injection vector. Although the vulnerability requires administrator privileges to exploit, it allows a malicious or compromised admin account to execute arbitrary SQL queries. This can be used to bypass any application-level logging or restrictions, directly manipulate the database, exfiltrate, modify, or delete all data (including other user credentials, financial records, and personal information), and could potentially lead to further system compromise, such as writing files to the server, depending on the database's configuration and user privileges. Version 6.5.3 patches the issue.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/17/2025
The vulnerability identified as CVE-2025-66396 affects ChurchCRM, an open-source church management system, and represents a critical SQL injection flaw that undermines the integrity and confidentiality of sensitive data. This vulnerability exists in the `src/UserEditor.php` file prior to version 6.5.3, where the application fails to properly sanitize user-supplied input before incorporating it into database queries. The flaw specifically manifests when administrators save user configuration settings, creating a pathway for malicious actors to execute arbitrary SQL commands through time-based blind SQL injection techniques. The vulnerability stems from improper handling of the `type` POST parameter array, where array keys are extracted using `key($type)` without any validation or sanitization processes, leading to direct concatenation into SQL statements.
The technical implementation of this vulnerability follows a well-documented pattern that aligns with CWE-89, which categorizes improper neutralization of special elements into SQL command queries as a primary contributor to SQL injection attacks. In ChurchCRM's case, the code processes the `type` parameter as an array and iterates through it while extracting keys through `key($type)` to assign them to an `$id` variable. This variable is then directly inserted into both SELECT and UPDATE SQL queries without any form of parameterization or input validation, creating a predictable injection vector. The requirement for administrator privileges to exploit this vulnerability does not diminish its severity, as it provides attackers with elevated access rights that can be leveraged for extensive data manipulation. Attackers can bypass application-level security controls and logging mechanisms, potentially leading to complete database compromise.
The operational impact of this vulnerability extends far beyond simple data theft, encompassing full database manipulation capabilities that could result in catastrophic consequences for church organizations managing sensitive personal information, financial records, and user credentials. The vulnerability enables attackers to exfiltrate confidential data, modify or delete critical records, and potentially escalate their privileges further by writing malicious files to the server. Depending on the database configuration and user permissions, this could lead to complete system compromise and persistent access. The time-based blind SQL injection technique allows attackers to extract data through response timing variations, making detection more difficult while enabling comprehensive data reconnaissance. This vulnerability directly maps to several ATT&CK techniques including T1078 for valid accounts and T1566 for credential access, as it leverages legitimate administrative privileges to gain unauthorized database access.
Organizations using ChurchCRM versions prior to 6.5.3 should immediately implement mitigations including applying the patch available in version 6.5.3, which properly sanitizes the input parameters before database operations. Additional defensive measures include implementing input validation for all user-supplied data, employing parameterized queries to prevent SQL injection, and conducting regular security audits of database interactions. Network segmentation and monitoring of database access patterns can help detect anomalous behavior indicative of exploitation attempts. The vulnerability demonstrates the critical importance of proper input sanitization in web applications, particularly when handling administrative functions that process user data. Organizations should also consider implementing application firewalls and database activity monitoring to provide additional layers of protection against similar vulnerabilities that may exist in other components of their infrastructure.