CVE-2026-24854 in ChurchCRM
Summary
by MITRE • 01/30/2026
ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2 contains a patch for the issue.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/30/2026
The vulnerability CVE-2026-24854 represents a critical SQL injection flaw within ChurchCRM version 5.1.0 through 6.7.1, specifically affecting the PaddleNumEditor.php endpoint. This issue demonstrates a fundamental weakness in input validation and query construction that allows attackers to manipulate database operations through crafted malicious input. The vulnerability is particularly concerning because it affects any authenticated user regardless of their permission level, including those with zero assigned permissions, indicating a lack of proper access controls and input sanitization mechanisms.
The technical exploitation occurs through the PerID parameter within the PaddleNumEditor.php endpoint, where user-supplied input is directly incorporated into SQL queries without proper sanitization or parameterization. This vulnerability falls under CWE-89, which specifically addresses SQL injection flaws, and represents a classic case of improper input validation where user data flows directly into database execution contexts. The attack vector demonstrates how even minimal user privileges can be leveraged to execute arbitrary SQL commands against the underlying database system, potentially allowing for data exfiltration, modification, or complete database compromise.
The operational impact of this vulnerability extends beyond simple data theft, as it provides attackers with the ability to escalate privileges and manipulate church management data in ways that could compromise sensitive information including member details, financial records, and organizational data. The fact that users with zero permissions can exploit this vulnerability indicates a critical flaw in the application's security model and access control implementation, potentially allowing unauthorized individuals to gain deeper system access. This vulnerability could enable attackers to extract confidential information, modify database entries, or even establish persistent access to the system through database-level backdoors.
Organizations using ChurchCRM versions prior to 6.7.2 should immediately implement the patch available in version 6.7.2 to remediate this vulnerability. The patch likely addresses the SQL injection issue through proper parameterization of database queries and implementation of input validation mechanisms. Security measures should include monitoring for unauthorized access attempts, implementing network segmentation to limit database access, and conducting thorough security assessments of the application's database interactions. Additionally, organizations should consider implementing web application firewalls and database activity monitoring to detect and prevent exploitation attempts. This vulnerability aligns with ATT&CK technique T1071.004 for application layer protocol usage and T1190 for exploitation of remote services, highlighting the need for comprehensive security controls that address both application-level and network-level threats.