CVE-2026-58409 in ChurchCRM
Summary
by MITRE • 07/14/2026
ChurchCRM is an open-source church management system. Prior to version 7.4.0, an authenticated administrator can achieve Remote Code Execution (RCE) on the server by installing a malicious plugin ZIP archive containing a PHP webshell. The application explicitly includes 'php' in its ALLOWED_EXTENSIONS list, while the dangerous extensions denylist (DENIED_EXTENSIONS) fails to block standard .php files. Because `php` is explicitly included in the allowed extension list for plugin archives, and extracted files are placed directly under the web root, any PHP file inside the ZIP becomes immediately executable via HTTP — without even needing to "enable" the plugin through the application UI. The /plugins/install-url API route (management.php) allows an administrator to source the malicious ZIP from any attacker-controlled HTTPS URL, validating it only against an attacker-supplied SHA-256 hash. This issue has been fixed in version 7.4.0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/14/2026
This vulnerability in ChurchCRM represents a critical remote code execution flaw that demonstrates poor input validation and insecure file handling practices within the application's plugin installation mechanism. The vulnerability exists due to a fundamental design flaw where the application maintains an explicit whitelist of allowed file extensions while simultaneously failing to properly enforce a comprehensive denylist. The ALLOWED_EXTENSIONS configuration includes 'php' as an explicitly permitted extension, creating a dangerous overlap with the DENIED_EXTENSIONS list that does not adequately block standard php files, resulting in a logical inconsistency that attackers can exploit.
The technical exploitation occurs through the /plugins/install-url API endpoint which accepts plugin archives from arbitrary HTTPS URLs and performs validation only against a SHA-256 hash provided by the attacker. This approach bypasses any meaningful file content inspection or extension validation, allowing an authenticated administrator to upload malicious PHP webshells directly to the server's web root directory. The vulnerability is particularly severe because the extracted files are placed directly under the web root without proper sanitization or access control measures, meaning that any PHP file within the uploaded ZIP archive becomes immediately executable via HTTP requests. This eliminates the need for additional privilege escalation or plugin activation steps that would normally be required in such scenarios.
The operational impact of this vulnerability is significant as it provides attackers with complete server compromise capabilities once they can authenticate as an administrator. The attack vector requires only a single authenticated session, making it particularly dangerous in environments where administrative credentials might be compromised through social engineering, credential stuffing, or other common attack techniques. This vulnerability directly maps to CWE-434 which describes insecure file upload vulnerabilities, and aligns with ATT&CK technique T1059.007 for command and scripting interpreter, as the PHP webshell allows arbitrary code execution on the target system. The issue represents a classic case of insufficient input validation combined with improper file handling, where the application fails to properly validate that uploaded files conform to security expectations.
Mitigation strategies should focus on implementing proper file extension validation mechanisms that do not rely solely on whitelisting approaches, but rather employ comprehensive validation that considers both allowed and denied extensions. Organizations should immediately upgrade to ChurchCRM version 7.4.0 or later where this vulnerability has been addressed through improved file validation logic and more robust plugin installation procedures. Additional protective measures include implementing proper file permission controls, removing the ability for uploaded files to be directly executable from the web root, and establishing comprehensive monitoring for unusual plugin installation activities. The fix should also include strengthening the SHA-256 validation process to ensure that content integrity checks are properly enforced alongside cryptographic verification, preventing attackers from substituting malicious payloads for legitimate updates without detection.