CVE-2026-24854
SQL Injection in ChurchCRM /PaddleNumEditor.php Allows Data Access
Publication date: 2026-01-30
Last updated on: 2026-02-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 6.7.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24854 is a high-severity SQL injection vulnerability in ChurchCRM's PaddleNumEditor.php endpoint. It occurs because the PerID parameter from a POST request is not properly sanitized or type cast before being concatenated into an SQL query. This allows any authenticated user, even those with zero assigned permissions, to inject malicious SQL code. The vulnerability enables attackers to manipulate the database queries, potentially leading to unauthorized data access or modification. [1]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to complete compromise of the ChurchCRM database, including reading, writing, and deleting data. Attackers can extract all sensitive information stored in ChurchCRM, escalate privileges, and possibly execute remote code depending on the SQL server configuration. The impact affects confidentiality, integrity, and availability of the system with high severity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the SQL injection in the /PaddleNumEditor.php endpoint using the PerID parameter. A proof-of-concept involves injecting payloads such as 'sleep(5)-- -' into the PerID parameter and observing a delay in the response time, indicating SQL execution. Automated tools like sqlmap can be used to test for this SQL injection by targeting the POST request to /PaddleNumEditor.php with the PerID parameter. Additionally, intercepting and modifying POST requests to this endpoint while logged in as any authenticated user can help detect the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade ChurchCRM to version 6.7.2 or later, where the vulnerability is patched. The patch involves casting the PerID, Num, and related parameters to integers before using them in SQL queries, preventing SQL injection. If upgrading is not immediately possible, ensure that input parameters to /PaddleNumEditor.php are properly sanitized and type cast to integers to prevent malicious input from altering SQL queries. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in ChurchCRM allows any authenticated user to execute arbitrary SQL commands, potentially leading to complete database compromise including reading, modifying, or deleting sensitive data. This could result in unauthorized access to personal or sensitive information managed by the system, thereby risking non-compliance with data protection regulations such as GDPR or HIPAA, which require safeguarding sensitive data against unauthorized access and breaches. [1]