Vulnerability Description
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection vulnerability in the `src/CartToFamily.php` file, specifically in how the `PersonAddress` POST parameter is handled. Unlike other parameters in the same file which are correctly cast to integers using the `InputUtils` class, the `PersonAddress` parameter is missing the type definition. This allows an attacker to inject arbitrary SQL commands directly into the query. Version 6.5.3 fixes the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Churchcrm | Churchcrm | < 6.5.3 |
Related Weaknesses (CWE)
References
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-h3vq-9gr6-h9r4ExploitVendor Advisory
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-h3vq-9gr6-h9r4ExploitVendor Advisory
FAQ
What is CVE-2025-67877?
CVE-2025-67877 is a vulnerability with a CVSS score of 8.8 (HIGH). ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection vulnerability in the `src/CartToFamily.php` file, specifically in how the `PersonAddress` POST parame...
How severe is CVE-2025-67877?
CVE-2025-67877 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-67877?
Check the references section above for vendor advisories and patch information. Affected products include: Churchcrm Churchcrm.