CVE-2026-40484
ChurchCRM · ChurchCRM
ChurchCRM's backup restore functionality allows authenticated administrators to upload malicious files, leading to remote code execution.
Executive summary
A critical remote code execution vulnerability in ChurchCRM allows authenticated administrators to execute arbitrary code via malicious backup archives.
Vulnerability
The application fails to sanitize file extensions during the restoration process, allowing an authenticated administrator to upload a PHP webshell. Furthermore, the absence of CSRF token validation permits attackers to trigger this process via cross-site request forgery.
Business impact
Successful exploitation results in complete system compromise, enabling an attacker to execute arbitrary code with the privileges of the web server. Given the CVSS score of 9.1, this vulnerability poses a severe threat, potentially leading to unauthorized data access, lateral movement within the network, and total loss of system integrity.
Remediation
Immediate Action: Upgrade ChurchCRM to version 7.2.0 or later immediately to patch the file upload and CSRF vulnerabilities.
Proactive Monitoring: Review web server access logs for suspicious requests targeting the Images/ directory or unusual patterns in backup restoration activity.
Compensating Controls: Implement a Web Application Firewall (WAF) with rules configured to block unauthorized file uploads and verify the origin of administrative requests to mitigate CSRF risks.
Exploitation status
Public Exploit Available: Not specified.
Analyst recommendation
This vulnerability represents a critical risk to the confidentiality and integrity of the ChurchCRM platform. Administrators must prioritize applying the version 7.2.0 update to eliminate the code execution vector and secure the backup restoration endpoint.