CVE-2025-11939
BaseFortify
Publication date: 2025-10-19
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 5.18.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a path traversal flaw in ChurchCRM versions up to 5.18.0, specifically in the Backup Restore Handler component (RestoreJob.php file). It allows an authenticated administrator to manipulate the restoreFile argument to traverse directories outside the intended path. This can lead to unauthorized file writes, such as overwriting Apache .htaccess files or uploading PHP webshells, potentially enabling remote code execution on the server. [1, 3]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker with elevated privileges to execute arbitrary code remotely on your server. This can compromise the confidentiality, integrity, and availability of your system by enabling unauthorized file access, modification, and potentially full system control through webshells. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by searching for the presence of the vulnerable file src/ChurchCRM/Backup/RestoreJob.php on your system or network. You can use commands like `find / -path '*src/ChurchCRM/Backup/RestoreJob.php'` on Linux systems to locate the file. Additionally, Google dorking techniques such as searching for `inurl:src/ChurchCRM/Backup/RestoreJob.php` can help identify exposed instances online. Monitoring for unusual file uploads or modifications, especially .htaccess files or PHP webshells, may also indicate exploitation attempts. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the Backup Restore Handler functionality to only trusted and authenticated administrators, as exploitation requires elevated privileges. Since no official patch or vendor response is available, you should monitor and limit file upload capabilities, especially for the restoreFile argument. Implement network-level access controls to limit exposure of the vulnerable endpoint. Additionally, review and harden file permissions to prevent unauthorized overwriting of critical files like .htaccess. Consider disabling or restricting the restore functionality until a fix is available. [1, 3]