kilserv@research $

cat churchcrm-sqli-cve-2025-67877.md

From Code Analysis to CVE: Uncovering SQL Injection in ChurchCRM (CVE-2025-67877)

> Date: 2026-01-15 > Severity: High

Technical walkthrough of identifying, exploiting, and responsibly disclosing a SQL Injection vulnerability in ChurchCRM (CVE-2025-67877).

Overview

CVE-2025-67877 is a high severity SQL Injection vulnerability discovered in the open-source church management system ChurchCRM. This issue stems from improper handling of user input in the application’s codebase, allowing an attacker to inject arbitrary SQL into database queries and exfiltrate sensitive data.

Target and Context

ChurchCRM is an open-source application used by organizations to manage member information, donations, and events. Its public source code makes it a viable target for white-box audits, where an analyst can manually inspect logic flaws and risky constructs across the codebase.

Methodology

The vulnerability was found through manual source code review, following a methodical approach:

  1. Input Vector Identification – Files and endpoints that accept user input (especially POST parameters) were mapped.
  2. Sanitization Tracing – Observed how those inputs were processed before being used in database queries.
  3. Bypass Analysis – Isolated input paths where sanitization was insufficient or inconsistent with best practices.

This process revealed that automated tooling often misses contextual flaws that only a human analysis can detect, reinforcing the value of manual inspection.

The Vulnerability

The SQL Injection flaw was located in the file CartToFamily.php within ChurchCRM’s source. While many input fields are filtered using an input utility, the PersonAddress parameter was concatenated directly into the SQL query string without proper type enforcement or prepared statements.

Vulnerable Code Pattern

Below is a simplified illustration of the problematic logic:

// Illustrative snippet of vulnerable logic
$sAddress1 = InputUtils::LegacyFilterInput($_POST['PersonAddress']);

// Unsafe concatenation into SQL query
$sSQL = "SELECT * FROM family_fam WHERE fam_Address1 = '" . $sAddress1 . "'";

This pattern allows special characters in the PersonAddress input to manipulate SQL syntax because the legacy filter did not enforce strict sanitation.

Proof of Concept (PoC)

To validate the vulnerability in a controlled environment:

  • Laboratory Setup: Docker + ChurchCRM instance
  • Tools: Burp Suite Professional for interception
  • Database: MySQL backend

The following HTTP request illustrates exploitation via SQL Injection:

POST /CartToFamily.php HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded

PersonAddress=MainSt' UNION SELECT 1,database(),3,4,5 -- -

Upon injection, the target responded with content reflecting query results from the manipulated database query, including information like the current database name — confirming successful SQL Injection.

Impact

Successful exploitation of this vulnerability allows:

  • Unauthorized exfiltration of sensitive parish and member data
  • Exposure of database structure, credentials, and internal values
  • Full compromise of application confidentiality and integrity

Given the nature of the data ChurchCRM typically manages, this risk is considered high severity.

Remediation

To remediate this issue, avoid direct string concatenation in SQL queries. Instead use prepared statements (parameterized queries), which separate SQL logic from user input.

Secure Example (PHP PDO)

// Secure prevention using prepared statements
$stmt = $pdo->prepare("SELECT * FROM family_fam WHERE fam_Address1 = :address");
$stmt->execute(['address' => $sAddress1]);
$result = $stmt->fetchAll();

Prepared statements ensure the database treats input as data only, eliminating SQL interpretation risk.

The fix was incorporated into ChurchCRM version 6.5.3 and later.

Conclusion

The discovery of CVE-2025-67877 emphasizes the importance of manual source code review in vulnerability research, especially for web applications with complex logic flows. Automated scanners provide value, but human insight remains critical to identifying contextual flaws like SQL Injection in real-world codebases.

Security practitioners should prioritize:

  • Use of parameterized queries across all database access layers
  • Rigorous input validation tied to the exact SQL usage context
  • Regular code audits beyond automated tooling

Combining these practices helps ensure robust defenses against SQL Injection and similar injection-based attacks.

References

  • The National Vulnerability Database entry for CVE-2025-67877 provides the official vulnerability description and severity.
  • Original Medium article explaining methodology and exploitation details.
[EOF] cd ..