CVE-2026-42289
8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when visited by an authenticated administrator, silently elevates any low-privilege user to full administrator or creates a new admin backdoor account without the victim's knowledge This vulnerability is fixed in 7.3.2.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ChurchCRM | CRM | < 7.3.2 | affected |
Weaknesses
- CWE-269: CWE-269: Improper Privilege Management
- CWE-306: CWE-306: Missing Authentication for Critical Function
- CWE-352: CWE-352: Cross-Site Request Forgery (CSRF)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.