CVE-2025-68109

Summary

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.

Affected Software

VendorProductVersion RangeStatus
ChurchCRMCRM< 6.5.3affected

Weaknesses

  • CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-434: CWE-434: Unrestricted Upload of File with Dangerous Type
  • CWE-494: CWE-494: Download of Code Without Integrity Check
  • CWE-552: CWE-552: Files or Directories Accessible to External Parties
  • CWE-915: CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References