CVE-2026-58409
ChurchCRM · CRM
ChurchCRM versions prior to 7.4.0 contain an unrestricted file upload vulnerability that allows an authenticated administrator to achieve remote code execution via malicious plugin ZIP archives.
Executive summary
An authenticated remote code execution vulnerability in ChurchCRM allows an administrator to execute arbitrary PHP code by uploading a malicious plugin, resulting in full system compromise.
Vulnerability
This is an unrestricted file upload vulnerability (CWE-434) where the application fails to effectively block PHP files in plugin archives. An attacker with administrative privileges can upload a ZIP file containing a webshell, which becomes immediately executable due to improper directory permissions and extension handling.
Business impact
While this exploit requires authenticated administrative access (PR:H), the impact is critical (CVSS 9.1) because it grants the attacker full control over the application server. This could lead to complete data exfiltration, modification of sensitive church membership records, and potential use of the server as a pivot point for further attacks.
Remediation
Immediate Action: Update ChurchCRM CRM to version 7.4.0 or later immediately to resolve the flawed extension validation logic.
Proactive Monitoring: Audit existing installed plugins for unauthorized files and review server logs for suspicious access to newly uploaded files within the web root.
Compensating Controls: Restrict access to the administrative dashboard to trusted IP addresses and enforce strict file system permissions to prevent the execution of scripts in the plugin upload directory.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Organizations using ChurchCRM must prioritize upgrading to version 7.4.0. Given the sensitivity of the data typically managed by church management systems, ensuring that administrative accounts are secured and software is patched is essential to maintaining institutional security.