CVE-2026-42289
ChurchCRM · CRM
ChurchCRM before 7.3.2 is susceptible to multiple vulnerabilities including improper privilege management, missing authentication for critical functions, and CSRF, potentially leading to system compromise.
Executive summary
Multiple security flaws in ChurchCRM, including missing authentication and privilege management issues, allow remote attackers to compromise the application integrity and confidentiality.
Vulnerability
The application suffers from a combination of missing authentication for critical functions (CWE-306), improper privilege management (CWE-269), and Cross-Site Request Forgery (CWE-352). These flaws allow unauthenticated or low-privileged attackers to perform sensitive actions.
Business impact
The combined impact of these vulnerabilities is severe, with a CVSS score of 8.8. An attacker could gain unauthorized administrative access, modify sensitive church management data, or perform unauthorized actions, leading to significant reputational damage and loss of trust.
Remediation
Immediate Action: Upgrade ChurchCRM to version 7.3.2 or later immediately to address these security gaps.
Proactive Monitoring: Review application logs for unauthorized administrative actions or suspicious requests that could indicate exploitation attempts.
Compensating Controls: Deploy a Web Application Firewall (WAF) to mitigate potential CSRF attacks and block suspicious traffic patterns targeting administrative endpoints.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
ChurchCRM users should treat this advisory with high urgency and perform the recommended upgrade to version 7.3.2. Because the vulnerability includes missing authentication for critical functions, the application is at high risk of unauthorized manipulation by remote parties.