Vulnerability Description
ChurchCRM is an open-source church management system. In ChurchCRM 6.2.0 and earlier, there is a time-based blind SQL injection in the handling of the 1FieldSec parameter. Injecting SLEEP() causes deterministic server-side delays, proving the value is incorporated into a SQL query without proper parameterization. The issue allows data exfiltration and modification via blind techniques.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Churchcrm | Churchcrm | <= 6.2.0 |
Related Weaknesses (CWE)
References
- https://github.com/ChurchCRM/CRM/commit/719a6bc73245c40e3c30dae6229daaecd451e59fPatch
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-47q3-c874-mqvpExploitVendor Advisory
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-47q3-c874-mqvpExploitVendor Advisory
FAQ
What is CVE-2025-66313?
CVE-2025-66313 is a vulnerability with a CVSS score of 7.2 (HIGH). ChurchCRM is an open-source church management system. In ChurchCRM 6.2.0 and earlier, there is a time-based blind SQL injection in the handling of the 1FieldSec parameter. Injecting SLEEP() causes det...
How severe is CVE-2025-66313?
CVE-2025-66313 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-66313?
Check the references section above for vendor advisories and patch information. Affected products include: Churchcrm Churchcrm.