Executive Summary

CVE-2026-39342 is a critical SQL injection vulnerability in ChurchCRM versions up to 7.0.5. It affects the `searchwhat` parameter in the `QueryView.php` script when accessed with `QueryID=15`. An authenticated user with access to the Data/Reports > Query Menu and the "Advanced Search" query can exploit this vulnerability.

The vulnerability occurs because the application does not properly sanitize the `searchwhat` parameter, allowing attackers to inject arbitrary SQL commands. This can be exploited remotely via HTTP POST requests without requiring user interaction beyond authentication.

Attackers can execute SQL commands such as time-based blind SQL injection payloads to confirm the vulnerability and extract sensitive data, including the database version and contents.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a severe impact on the confidentiality, integrity, and availability of your system.

• Confidentiality: Attackers can extract sensitive data from the database.
• Integrity: Attackers can execute arbitrary SQL commands, potentially modifying or corrupting data.
• Availability: Attackers can perform denial of service attacks, for example by using time-based SQL injection payloads to delay or disrupt database responses.

Since the attack requires only low privileges and no user interaction beyond authentication, it poses a high risk to systems running vulnerable versions.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending specially crafted POST requests to the vulnerable endpoint and observing the system's response time or behavior.

A proof of concept involves sending a POST request to QueryView.php with QueryID=15 and injecting SQL commands into the searchwhat parameter to cause a delay, confirming SQL injection.

• Example curl command to test for the vulnerability: curl -X POST 'http://target/QueryView.php?QueryID=15' -d 'searchstring=rbzEWw&searchwhat=(select*from(select(sleep(20)))a)&Submit=Execute+Query'
• Alternative payloads include conditional sleep statements to infer data via time-based blind SQL injection.
• PoC scripts in Python and usage examples with Burp Suite are also available for automated testing.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade ChurchCRM/CRM to version 7.1.0 or later, where this vulnerability is fixed.

Additionally, review and sanitize inputs to the searchwhat parameter in QueryView.php to prevent SQL injection.

Implement strict validation and use parameterized queries to ensure user inputs cannot alter SQL commands.

Useful 0 Not Useful 0

Compliance Impact

This SQL injection vulnerability in ChurchCRM allows an attacker with limited privileges to execute arbitrary SQL commands remotely, potentially leading to full database compromise, data leakage, and denial of service.

Such impacts on confidentiality, integrity, and availability of sensitive data can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and breaches.

Therefore, exploitation of this vulnerability could lead to violations of these regulations due to potential exposure or loss of protected data.

Useful 0 Not Useful 0