| Title | ChurchCRM <= 5.18.0 Remote Code Execution (RCE) |
|---|
| Description | Critical pre-authentication remote code execution in ChurchCRM setup wizard. Attackers can inject arbitrary PHP code via setup form parameters that are directly concatenated into executable configuration files without validation, achieving immediate server compromise during mandatory installation process. |
|---|
| Source | ⚠️ https://github.com/uartu0/advisories/blob/main/churchcrm-setup-rce-2025.md |
|---|
| User | uartu0 (UID 90021) |
|---|
| Submission | 10/08/2025 04:45 (6 months ago) |
|---|
| Moderation | 10/18/2025 14:54 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 329014 [ChurchCRM up to 5.18.0 setup/routes/setup.php DB_PASSWORD/ROOT_PATH/URL deserialization] |
|---|
| Points | 17 |
|---|