Unrated severityNVD Advisory· Published Feb 18, 2025· Updated Feb 18, 2025

SQL Injection in ChurchCRM newCountName Parameter via EditEventTypes.php

CVE-2025-1023

Description

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without proper sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion.

Affected products

Churchcrm/Churchcrmv5
Range: ChurchCRM 5.13.0 and prior

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/ChurchCRM/CRM/issues/7246mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000