CVE-2025-67877

Summary

ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection vulnerability in the src/CartToFamily.php file, specifically in how the PersonAddress POST parameter is handled. Unlike other parameters in the same file which are correctly cast to integers using the InputUtils class, the PersonAddress parameter is missing the type definition. This allows an attacker to inject arbitrary SQL commands directly into the query. Version 6.5.3 fixes the issue.

Affected Software

VendorProductVersion RangeStatus
ChurchCRMCRM< 6.5.3affected

Weaknesses

  • CWE-89: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

Additional References

References