ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The "$dbPassword" variable is not sanitized. This vulnerability exists due to an incomplete fix for CVE-2025-62521. This vulnerability is fixed in 7.1.0.
The ChurchCRM installation wizard does not sanitize the `$dbPassword` variable, which allows an attacker to inject arbitrary PHP code without authentication. The vulnerability is the result of an incomplete patch for the previous CVE-2025-62521 vulnerability, which did not cover all dangerous entry points. The payload passed by the attacker can be executed directly by the server during the application configuration process.
An attacker without any privileges can execute arbitrary code on the server and gain full control of the system, including access to all user data, databases, and the ability to install backdoors.
ChurchCRM must be immediately updated to version 7.1.0, in which the vulnerability has been fixed. If an update is not possible — network access to the installation wizard (setup wizard) must be blocked until the patch is deployed.
ChurchCRM in versions before 7.1.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HChurchcrm
APPChurchcrm< 7.1.0
Related vulnerabilities
SQL Injection w ChurchCRM przez parametr searchwhat (QueryView.php)
ChurchCRM — krytyczny auth bypass w API middleware
ChurchCRM: Path Traversal i RCE przez funkcję przywracania kopii zapasowej
ChurchCRM: ujawnienie danych logowania do bazy danych w komunikacie błędu
Stored XSS w ChurchCRM — przejęcie konta przez nazwy ról grup