CVE-2025-67877
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-17

Last updated on: 2025-12-18

Assigner: GitHub, Inc.

Description
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection vulnerability in the `src/CartToFamily.php` file, specifically in how the `PersonAddress` POST parameter is handled. Unlike other parameters in the same file which are correctly cast to integers using the `InputUtils` class, the `PersonAddress` parameter is missing the type definition. This allows an attacker to inject arbitrary SQL commands directly into the query. Version 6.5.3 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67877
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
churchcrm churchcrm to 6.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a SQL injection in ChurchCRM versions prior to 6.5.3. It occurs in the src/CartToFamily.php file where the PersonAddress POST parameter is not properly type-checked or sanitized. Unlike other parameters that are cast to integers, PersonAddress lacks this protection, allowing an attacker to inject arbitrary SQL commands into the database query.

Impact Analysis

An attacker exploiting this SQL injection vulnerability could execute arbitrary SQL commands on the ChurchCRM database. This could lead to unauthorized data access, data modification, or deletion, potentially compromising sensitive information stored in the system.

Mitigation Strategies

Upgrade ChurchCRM to version 6.5.3 or later, as this version fixes the SQL injection vulnerability in the src/CartToFamily.php file related to the PersonAddress POST parameter.

Compliance Impact

This vulnerability allows attackers to perform SQL injection attacks that can expose personally identifiable information (PII) and sensitive data such as admin password hashes. Exposure of such data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access. Therefore, the vulnerability poses a significant risk to compliance with these standards. [1]

Detection Guidance

This vulnerability can be detected by testing the 'PersonAddress' POST parameter in the 'Add to Family' feature of ChurchCRM for SQL injection. You can attempt to send specially crafted POST requests with payloads such as 'PersonAddress=1 OR 1=1' to see if the query returns all records, indicating a Boolean-based SQL injection. For example, using curl to test the vulnerability: curl -X POST -d "PersonAddress=1 OR 1=1" https://yourchurchcrm.example.com/src/CartToFamily.php If the response contains more data than expected or reveals sensitive information, the system is vulnerable. Additionally, monitoring logs for unusual SQL errors or unexpected query results related to 'PersonAddress' can help detect exploitation attempts. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67877. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart