CVE-2025-68111
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-17

Last updated on: 2025-12-18

Assigner: GitHub, Inc.

Description
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability exists in the `eGive.php` file within the "ReImport" functionality. An authenticated user with finance privileges can execute arbitrary SQL queries by manipulating the `MissingEgive_FamID_...` POST parameter. This can lead to unauthorized data access, modification, or deletion within the database. Version 6.5.3 has a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68111
EUVD
EUVD-2025-203988
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
churchcrm churchcrm to 6.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a SQL injection in ChurchCRM versions prior to 6.5.3, specifically in the 'ReImport' functionality within the eGive.php file. An authenticated user with finance privileges can manipulate the 'MissingEgive_FamID_...' POST parameter to execute arbitrary SQL queries on the database.

Impact Analysis

The vulnerability can lead to unauthorized access, modification, or deletion of data within the ChurchCRM database, potentially compromising sensitive financial and personal information.

Mitigation Strategies

Upgrade ChurchCRM to version 6.5.3 or later, as this version contains the patch that fixes the SQL injection vulnerability in the eGive.php file. Additionally, restrict finance privileges to trusted users only and monitor for any unusual database activity.

Compliance Impact

This vulnerability allows an authenticated user with finance privileges to perform SQL injection attacks, potentially leading to unauthorized access, modification, or deletion of sensitive data within the database. Such unauthorized data access and manipulation can result in violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring data integrity. Therefore, the presence of this vulnerability could lead to non-compliance with these common standards and regulations. [1]

Detection Guidance

This vulnerability can be detected by attempting a time-based blind SQL injection on the POST parameter MissingEgive_FamID_... during the ReImport functionality in ChurchCRM. For example, an authenticated user with finance privileges can submit a POST request with a payload like: 1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1. If the server response is delayed by approximately 5 seconds, it indicates a successful SQL injection. To test this, you can use tools like curl or Burp Suite to craft and send the POST request with the manipulated parameter. Example curl command: curl -X POST -d "MissingEgive_FamID_test=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1" https://yourchurchcrm.example.com/path/to/ReImport -b cookies.txt (where cookies.txt contains authenticated session cookies). Monitoring response times for delays can help detect the vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68111. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart