Executive Summary

CVE-2026-39337 is a critical remote code execution vulnerability in ChurchCRM versions up to 7.0.5, specifically in the Install Wizard component.

The vulnerability occurs because the "$dbPassword" variable in the setup wizard is not properly sanitized, allowing an attacker to inject arbitrary PHP code during the initial installation process without authentication.

This code injection leads to complete server compromise, enabling attackers to execute malicious commands remotely.

The flaw is a form of CWE-94: Improper Control of Generation of Code ('Code Injection').

The vulnerability was not fully fixed in earlier versions and is only resolved starting from version 7.1.0.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthenticated attackers to remotely execute arbitrary PHP code on the affected server.

As a result, attackers can gain full control over the server hosting ChurchCRM, leading to complete compromise of confidentiality, integrity, and availability.

• Attackers can upload backdoors and execute remote commands.
• No special privileges or user interaction are required to exploit this vulnerability.
• The attack complexity is low and can be performed remotely over the network.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your ChurchCRM installation is running a version up to 7.0.5, as these versions are vulnerable.

Since the exploit involves injecting PHP code into the "$dbPassword" field during the setup wizard, monitoring or inspecting HTTP requests to the setup wizard for suspicious payloads targeting this parameter can help detect exploitation attempts.

Additionally, using the publicly available Metasploit module `exploit/multi/http/churchcrm_install_unauth_rce` can help test if the system is vulnerable.

Commands to detect the vulnerability might include:

• Using Metasploit to run the exploit module against the target ChurchCRM instance to verify if it is vulnerable.
• Monitoring web server logs for unusual POST requests to the setup wizard containing suspicious PHP code in the "$dbPassword" parameter.
• Checking the version of ChurchCRM installed by querying the application or inspecting the version files to confirm if it is older than 7.1.0.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, restrict access to the setup wizard page to trusted users or internal networks to prevent unauthenticated attackers from exploiting the vulnerability.

Additionally, monitor your system for any signs of compromise, such as unexpected files like backdoors (e.g., in Include/Config.php) or unusual server behavior.

If possible, disable or remove the setup wizard component after installation to reduce the attack surface.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-39337 allows unauthenticated remote code execution leading to complete server compromise of ChurchCRM installations prior to version 7.1.0. Such a compromise can result in unauthorized access, modification, or destruction of sensitive data managed by the system.

Because the vulnerability impacts confidentiality, integrity, and availability at a high level, it poses a significant risk to compliance with common standards and regulations such as GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Organizations using vulnerable versions of ChurchCRM could face violations of these regulations due to potential data breaches or loss of data integrity caused by this vulnerability.

Useful 0 Not Useful 0