CVE-2026-58409

ChurchCRM · CRM

ChurchCRM versions prior to 7.4.0 contain an unrestricted file upload vulnerability that allows an authenticated administrator to achieve remote code execution via malicious plugin ZIP archives.

Executive summary

An authenticated remote code execution vulnerability in ChurchCRM allows an administrator to execute arbitrary PHP code by uploading a malicious plugin, resulting in full system compromise.

Vulnerability

This is an unrestricted file upload vulnerability (CWE-434) where the application fails to effectively block PHP files in plugin archives. An attacker with administrative privileges can upload a ZIP file containing a webshell, which becomes immediately executable due to improper directory permissions and extension handling.

Business impact

While this exploit requires authenticated administrative access (PR:H), the impact is critical (CVSS 9.1) because it grants the attacker full control over the application server. This could lead to complete data exfiltration, modification of sensitive church membership records, and potential use of the server as a pivot point for further attacks.

Remediation

Immediate Action: Update ChurchCRM CRM to version 7.4.0 or later immediately to resolve the flawed extension validation logic.

Proactive Monitoring: Audit existing installed plugins for unauthorized files and review server logs for suspicious access to newly uploaded files within the web root.

Compensating Controls: Restrict access to the administrative dashboard to trusted IP addresses and enforce strict file system permissions to prevent the execution of scripts in the plugin upload directory.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Organizations using ChurchCRM must prioritize upgrading to version 7.4.0. Given the sensitivity of the data typically managed by church management systems, ensuring that administrative accounts are secured and software is patched is essential to maintaining institutional security.