CVE-2026-39325
SQL Injection in ChurchCRM /SettingsUser.php Allows Data Manipulation
Publication date: 2026-04-07
Last updated on: 2026-04-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 7.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to complete database compromise including the ability to read, write, and delete data.
An attacker with authenticated administrative access can extract all sensitive data stored in ChurchCRM.
It also allows potential privilege escalation and possibly remote code execution depending on the SQL functions and server configuration.
Can you explain this vulnerability to me?
CVE-2026-39325 is a high-severity blind SQL injection vulnerability in ChurchCRM version 7.0.5 and earlier, specifically in the /SettingsUser.php endpoint.
The vulnerability occurs because the POST parameter 'type', which is an array, has its keys (array indices) used directly in SQL queries without any sanitization or escaping.
Authenticated administrative users can inject arbitrary SQL statements through these unsanitized array keys, allowing them to extract and modify information from the database.
This is possible because the code loops over the 'type' array and uses the keys directly in an SQL UPDATE statement, enabling blind SQL injection attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or malicious POST requests to the /SettingsUser.php endpoint, specifically those that include the `type` parameter as an array with crafted indices that attempt SQL injection.
Since the vulnerability involves SQL injection via the array index in the `type` POST parameter, detection can involve inspecting HTTP POST traffic for suspicious payloads that include SQL keywords or time-based injection patterns.
A practical approach is to use web application firewall (WAF) rules or intrusion detection system (IDS) signatures to detect SQL injection attempts targeting this endpoint.
For manual detection, you can use tools like curl or Burp Suite to send crafted POST requests to /SettingsUser.php with manipulated `type` array indices and observe the response or timing delays indicating blind SQL injection.
- Example curl command to test for SQL injection timing attack: curl -X POST -b 'session_cookie=your_session_cookie' -d "type[1' AND SLEEP(5) AND '1'='1]=test" https://yourchurchcrm.example.com/SettingsUser.php -v --max-time 10
- Use network traffic analysis tools (e.g., Wireshark) to monitor POST requests to /SettingsUser.php for suspicious payloads.
- Run automated vulnerability scanners configured to test for SQL injection on authenticated admin endpoints.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in ChurchCRM allows authenticated administrative users to extract and modify sensitive data from the database, leading to a complete database compromise. This includes unauthorized access to confidential information, which can result in violations of data protection regulations such as GDPR and HIPAA that require safeguarding personal and sensitive data.
Because the vulnerability impacts confidentiality, integrity, and availability of data with high severity, it poses a significant risk to compliance with standards that mandate strict controls over data access and protection. Organizations using vulnerable versions of ChurchCRM may fail to meet these regulatory requirements until the vulnerability is patched.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade ChurchCRM to version 7.1.0 or later, where this SQL injection vulnerability has been fixed.
Until the upgrade can be performed, restrict access to the /SettingsUser.php endpoint to only trusted administrative users and monitor for suspicious activity.
Implement web application firewall (WAF) rules to block or alert on suspicious POST requests containing SQL injection patterns targeting the `type` parameter.
Ensure that administrative credentials are protected and that session cookies are secured to prevent unauthorized authenticated access.
Review and limit privileges of administrative users to reduce the risk of exploitation.