How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows authenticated users to perform arbitrary SQL injection attacks, leading to full read, write, and delete access to the ChurchCRM database. Such unauthorized access and modification of sensitive data can result in data breaches.

Data breaches caused by this vulnerability could lead to non-compliance with common standards and regulations such as GDPR and HIPAA, which require protection of personal and sensitive information. The exposure or alteration of sensitive data managed by ChurchCRM may violate these regulations' requirements for data confidentiality, integrity, and availability.

Therefore, organizations using vulnerable versions of ChurchCRM risk regulatory penalties and loss of trust due to potential unauthorized disclosure or manipulation of protected data.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

CVE-2026-39319 is a critical second order SQL injection vulnerability in ChurchCRM, an open-source church management system. It affects versions up to 7.0.5 and is fixed in version 7.1.0.

The vulnerability exists in the endpoint /FundRaiserEditor.php, where an authenticated user—without needing any special privileges—can manipulate the PHP session parameter iCurrentFundraiser. This parameter is set based on user input but is insufficiently filtered, allowing attackers to inject arbitrary SQL code.

Because the iCurrentFundraiser session parameter is used directly in SQL queries across multiple PHP files without proper sanitization or parameterization, attackers can execute malicious SQL commands. This can lead to extraction, modification, and deletion of data from the database.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows an attacker with only authenticated access and no special privileges to fully compromise the ChurchCRM database.

• Full read, write, and delete access to all data managed by ChurchCRM.
• Extraction of sensitive information stored in the database.
• Modification or deletion of critical data.
• Potential privilege escalation within the application.
• Possible remote code execution depending on the database server's capabilities.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring and testing the /FundRaiserEditor.php endpoint for SQL injection attempts through the iCurrentFundraiser PHP session parameter.

Since the vulnerability involves injection via the iCurrentFundraiser session parameter, one approach is to authenticate as a user and attempt to manipulate this parameter with SQL payloads such as '1 AND SLEEP(5)' to observe if the system response is delayed, indicating SQL injection.

Network detection can include monitoring for unusual SQL-related payloads in requests to /FundRaiserEditor.php or related endpoints that use the iCurrentFundraiser session variable.

Example commands for testing might include using curl or a web proxy to send requests with manipulated session parameters, or using SQL injection testing tools targeting the iCurrentFundraiser parameter.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, restrict access to the /FundRaiserEditor.php endpoint and related endpoints that use the iCurrentFundraiser session parameter to trusted users only.

Implement additional input validation and sanitization on the iCurrentFundraiser session parameter to prevent injection of arbitrary SQL commands.

Monitor logs for suspicious activity involving the iCurrentFundraiser parameter and SQL errors that may indicate exploitation attempts.

Useful 0 Not Useful 0