A critical SQL injection vulnerability has been identified in the ChurchCRM open-source church management system. This flaw allows an authenticated attacker to take complete control of the database, leading to the theft of sensitive member data, financial information, and administrative credentials, which could result in a full system compromise. Organizations using affected versions are at high risk of a significant data breach and should apply the available patch immediately.

The vulnerability is a SQL injection flaw located in the Event Attendee Editor component of the ChurchCRM application. An attacker with valid user credentials can submit specially crafted SQL queries through this editor. Because the application fails to properly sanitize user-supplied input, these malicious queries are executed directly by the backend database, allowing the attacker to read, modify, or delete any data, including sensitive member PII, financial records, and user authentication credentials.

This vulnerability is rated as critical severity with a CVSS score of 9.6. Successful exploitation could lead to severe business consequences, including a major data breach of highly sensitive personal and financial information of church members, resulting in significant reputational damage and potential legal liabilities. The theft of administrative credentials could allow an attacker to gain full control over the church management system, disrupt operations, and use the compromised server for further malicious activities.

Immediate Action: Immediately upgrade all instances of ChurchCRM to version 6.5.3 or later, which contains the patch for this vulnerability. After patching, review application and database access logs for any signs of suspicious activity or unauthorized data access that may have occurred prior to the update.

Proactive Monitoring: Monitor database logs for unusual or malformed SQL queries, particularly those targeting the tables related to event attendance and user accounts. Review web server access logs for anomalous requests to the Event Attendee Editor endpoint. Implement alerts for multiple failed login attempts or access from unusual geographic locations, which could indicate a compromised account being used to exploit this flaw.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with strict SQL injection detection rules to block malicious requests. Additionally, restrict access to the Event Attendee Editor function to a minimal number of trusted administrative users and enforce multi-factor authentication (MFA) on all accounts to mitigate the risk of a compromised account being used for exploitation.

Public Exploit Available: False

Given the critical CVSS score of 9.6 and the risk of complete database and system compromise, it is imperative that organizations using the affected ChurchCRM software apply the security update to version 6.5.3 or later without delay. This vulnerability represents a direct and severe threat to the confidentiality and integrity of sensitive organizational and member data. All instances should be considered compromised until patched and thoroughly investigated for signs of malicious activity.