CVE-2026-44548
ChurchCRM · CRM
ChurchCRM is susceptible to Cross-Site Request Forgery (CSRF) and improper server-side permission handling, potentially allowing unauthorized state-changing actions.
Executive summary
A Cross-Site Request Forgery (CSRF) vulnerability in ChurchCRM versions prior to 7.3.2 poses a significant risk of unauthorized administrative actions.
Vulnerability
This vulnerability involves CWE-352 (CSRF) and CWE-650, where the application fails to adequately validate requests, allowing an unauthenticated attacker to trick a logged-in user into executing unintended actions.
Business impact
The ability for an attacker to perform unauthorized actions on behalf of a legitimate user could lead to the modification of sensitive church membership data, unauthorized financial transactions, or the deletion of critical system records. With a CVSS score of 8.1, this represents a high-severity threat that could severely compromise the integrity and availability of the organization's management system.
Remediation
Immediate Action: Upgrade ChurchCRM to version 7.3.2 or later immediately to apply the necessary CSRF tokens and permission checks.
Proactive Monitoring: Audit application access logs for suspicious administrative activity or unexpected state-changing requests occurring outside of standard user workflows.
Compensating Controls: Implement a Web Application Firewall (WAF) to detect and block suspicious cross-site requests, though this should be considered a temporary measure pending a full software update.
Exploitation status
Public Exploit Available: No (No confirmed public exploit available).
Analyst recommendation
Given the potential for unauthorized data manipulation and the existence of a proof-of-concept, administrators should prioritize updating to version 7.3.2. Failure to patch leaves the application vulnerable to session-hijacking-style attacks that bypass traditional perimeter defenses.