CVE-2025-67751

Unknown Unknown - Not Provided

BaseFortify

Publication date: 2025-12-16

Last updated on: 2025-12-17

Assigner: GitHub, Inc.

Description

ChurchCRM is an open-source church management system. Prior to version 6.5.0, a SQL injection vulnerability exists in the `EventEditor.php` file. When creating a new event and selecting an event type, the `EN_tyid` POST parameter is not sanitized. This allows an authenticated user with event management permissions (`isAddEvent`) to execute arbitrary SQL queries. Version 6.5.0 fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2025-12-16

Last Modified

2025-12-17

Generated

2026-06-16

AI Q&A

2025-12-16

EPSS Evaluated

2026-06-14

NVD

CVE-2025-67751

EUVD

EUVD-2025-203486

Affected Vendors & Products

Vendor	Product	Version / Range
churchcrm	churchcrm	to 6.5.0 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2025-67751 is a high-severity SQL injection vulnerability in the ChurchCRM application, specifically in the EventEditor.php file before version 6.5.0. The vulnerability occurs because the EN_tyid POST parameter, used when creating a new event and selecting an event type, is not sanitized or type-checked before being embedded directly into a SQL query. An authenticated user with event management permissions (isAddEvent) can exploit this by injecting malicious SQL code into the EN_tyid parameter, allowing them to execute arbitrary SQL queries on the database. This can lead to unauthorized data access, modification, or deletion. [1]

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive data such as user credentials, financial information, and personal data stored in the ChurchCRM database. An attacker with event management permissions can execute arbitrary SQL queries, potentially leading to data exfiltration, data modification, or deletion, resulting in a full compromise of the application's database and its availability. [1]

Detection Guidance

This vulnerability can be detected by intercepting and analyzing POST requests to EventEditor.php, specifically looking at the EN_tyid parameter. A common detection method is to test for time-based blind SQL injection by injecting a payload such as: EN_tyid=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a). If the server response is delayed by approximately 5 seconds, it confirms the vulnerability. This can be done using tools like curl or Burp Suite to modify POST parameters and observe response times. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading ChurchCRM to version 6.5.0 or later, where the vulnerability is fixed by replacing raw SQL queries with parameterized queries using the Propel ORM. If upgrading is not immediately possible, restrict event management permissions to trusted users only, monitor and log POST requests to EventEditor.php for suspicious activity, and consider applying custom patches that sanitize the EN_tyid parameter. Ultimately, applying the official fix that uses ORM-based queries is necessary to fully mitigate the risk. [2]

Compliance Impact

The SQL injection vulnerability in ChurchCRM allows an authenticated user with event management permissions to execute arbitrary SQL queries, potentially leading to unauthorized access, modification, or deletion of sensitive data such as user credentials, financial information, and personal data. This unauthorized data exposure and manipulation can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and breaches. [1]

Hi! I’m here to help you understand CVE-2025-67751. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2025-67751

BaseFortify

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart