ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's s...
Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The "$dbPassword" variable is not sanitized. This vulnerability exists due to an incomplete fix for CVE-2025-62521. This vulnerability is fixed in 7.1.0.
AI Analyst Comment
Remediation
Update HP code during to the latest version. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: ChurchCRM
PRODUCT: ChurchCRM
AFFECTED_VERSIONS: Prior to 7.1.0
CONFIDENCE: high
MISSING: none
---END_METADATA---
Description Summary:
A pre-authentication remote code execution vulnerability in the ChurchCRM setup wizard allows unauthenticated attackers to inject arbitrary PHP code, resulting in full server compromise.
Executive Summary:
A critical pre-authentication remote code execution vulnerability in the ChurchCRM setup wizard allows unauthenticated attackers to achieve full server compromise.
Vulnerability Details
CVE-ID: CVE-2026-39337
Affected Software: ChurchCRM ChurchCRM
Affected Versions: Prior to 7.1.0
Vulnerability: This is a pre-authentication remote code execution vulnerability originating from improper sanitization of the "$dbPassword" variable during the installation process. It serves as an incomplete remediation for a previous vulnerability (CVE-2025-62521).
Business Impact
Successful exploitation grants an attacker complete control over the underlying server, enabling data theft, lateral movement, and the installation of persistent backdoors. Given the critical CVSS score of 10, this vulnerability represents an existential threat to the integrity and availability of the affected infrastructure.
Remediation Plan
Immediate Action: Update ChurchCRM to version 7.1.0 immediately; if installation is currently in progress, ensure the environment is isolated until the patch is applied.
Proactive Monitoring: Audit server logs for unexpected execution of PHP files or anomalous processes initiated during or after the installation phase.
Compensating Controls: Ensure the installation directory is protected by strict file system permissions and restrict public access to the setup wizard interface.
Exploitation Status
Public Exploit Available: Not specified.
Analyst Notes: As of April 7, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
This vulnerability represents the highest level of risk, allowing for total server takeover. It is imperative that administrators verify their ChurchCRM installations are updated to 7.1.0 to prevent remote command execution and maintain the security of the host environment.