How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows authenticated users with certain permissions to exfiltrate or modify any database content, including user credentials and personally identifiable information (PII). This exposure of sensitive data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal data and user privacy.

Because the vulnerability compromises confidentiality and integrity of sensitive information, organizations using affected versions of ChurchCRM may face risks of data breaches, potentially resulting in regulatory penalties and loss of trust.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

CVE-2026-34402 is a high-severity time-based blind SQL injection vulnerability in ChurchCRM version 7.0.5, specifically in the PropertyAssign.php endpoint.

Authenticated users who have either Edit Records or Manage Groups permissions can exploit this vulnerability by injecting malicious SQL code into the 'Value' parameter of a POST request.

The root cause is that the input sanitization function only removes HTML tags and trims whitespace but does not perform any SQL escaping or use prepared statements, allowing direct interpolation of user input into SQL queries.

This allows attackers to exfiltrate or modify any database content, including sensitive data such as user credentials, personally identifiable information (PII), and configuration secrets.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have serious impacts including unauthorized access to and modification of sensitive database content.

• Exfiltration of user credentials, which could lead to account compromise.
• Exposure of personally identifiable information (PII), risking privacy violations.
• Modification of configuration secrets, potentially undermining system security.

Since the attack requires only low privileges (authenticated user with specific permissions) and no user interaction, it is relatively easy for an attacker with access to exploit.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by sending a time-based blind SQL injection payload to the vulnerable endpoint and measuring response delays.

A manual testing example involves using cURL to send a malicious POST request with an injection payload to the PropertyAssign.php endpoint and observing if the response time is delayed, indicating successful injection.

• Use a cURL command to send a POST request with a payload like: ' OR IF(ASCII(SUBSTRING((SELECT usr_Password FROM user_usr WHERE usr_per_ID=1 LIMIT 1),1,1))=36,SLEEP(2),0)-- - in the Value parameter.
• Example cURL command: curl -X POST -d "Value=' OR IF(ASCII(SUBSTRING((SELECT usr_Password FROM user_usr WHERE usr_per_ID=1 LIMIT 1),1,1))=36,SLEEP(2),0)-- -" "http://target/PropertyAssign.php?PersonID=1&PropertyID=1"

If the response is delayed by approximately 2 seconds, it indicates the presence of the vulnerability.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves applying proper SQL escaping to user inputs before they are used in SQL queries.

Specifically, use functions like mysqli_real_escape_string() on the input value before passing it to the SQL query to prevent injection.

• Modify the code to escape the Value parameter, for example: global $cnInfoCentral; $sValue = mysqli_real_escape_string($cnInfoCentral, $sValue);

Additionally, ensure that only authenticated users with the necessary permissions (Edit Records or Manage Groups) have access to this endpoint.

Upgrade to ChurchCRM version 7.1.0 or later once the patch is available, as this version fixes the vulnerability.

Useful 0 Not Useful 0