CVE-2025-67751 in ChurchCRM
Summary
by MITRE • 12/16/2025
ChurchCRM is an open-source church management system. Prior to version 6.5.0, a SQL injection vulnerability exists in the `EventEditor.php` file. When creating a new event and selecting an event type, the `EN_tyid` POST parameter is not sanitized. This allows an authenticated user with event management permissions (`isAddEvent`) to execute arbitrary SQL queries. Version 6.5.0 fixes the issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/16/2025
The vulnerability CVE-2025-67751 represents a critical SQL injection flaw within ChurchCRM, a widely-used open-source church management system that serves religious organizations globally. This security weakness specifically affects versions prior to 6.5.0 and resides within the EventEditor.php component of the application. The vulnerability stems from inadequate input validation and sanitization practices, creating a pathway for malicious actors to exploit the system's database interactions. ChurchCRM's user base includes numerous religious institutions that rely on the platform for managing membership data, event scheduling, and financial records, making this vulnerability particularly concerning from a data protection perspective.
The technical implementation of this vulnerability occurs through the improper handling of the EN_tyid POST parameter during event creation processes. When authenticated users with event management permissions attempt to create new events and select event types, the application fails to sanitize this parameter before incorporating it into database queries. This lack of input sanitization allows attackers to inject malicious SQL code directly through the web interface, bypassing normal authentication and authorization mechanisms. The vulnerability specifically targets the event type selection functionality, where the EN_tyid parameter is used to determine which event type to associate with a new event entry. This parameter injection occurs without proper escaping or parameterized query construction, creating a direct avenue for SQL command injection attacks.
The operational impact of this vulnerability extends beyond simple data theft, as it enables authenticated attackers with minimal privileges to execute arbitrary SQL commands against the underlying database. An attacker with event management permissions can leverage this flaw to extract sensitive information from the database, modify existing records, or even delete critical data. The vulnerability affects not only the event management functionality but potentially impacts the entire ChurchCRM database structure, including member information, financial records, and administrative data. Given that ChurchCRM is designed for use in religious organizations, the compromised data could include personal information, financial details, and confidential organizational data, making this vulnerability particularly damaging from a privacy and compliance standpoint. The attack vector requires only basic event management privileges, which are often granted to trusted volunteers or staff members, reducing the barrier to exploitation.
Mitigation strategies for this vulnerability should focus on immediate patch deployment to version 6.5.0 or later, which implements proper input sanitization and parameterized query construction. Organizations should also implement network-level monitoring to detect unusual database query patterns that might indicate exploitation attempts. Security teams should review and restrict event management permissions to only essential personnel, reducing the attack surface. The fix addresses the root cause by properly sanitizing the EN_tyid parameter through input validation and escaping techniques, preventing malicious SQL code from being executed. This vulnerability aligns with CWE-89, which specifically addresses SQL injection flaws, and represents a common pattern seen in web applications where user input is directly incorporated into database queries without proper sanitization. From an ATT&CK framework perspective, this vulnerability maps to techniques involving command and control communications and privilege escalation through application exploitation, highlighting the importance of maintaining up-to-date security patches and implementing proper access controls to limit potential damage from such flaws.