Vulnerability Description
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potential system takeover. The vulnerability enables attackers to extract sensitive member data, authentication credentials, and financial information from the church management system. Version 6.5.3 contains a patch for the issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Churchcrm | Churchcrm | < 6.5.3 |
Related Weaknesses (CWE)
References
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hxf4-3vhp-wqcqExploitVendor Advisory
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hxf4-3vhp-wqcqExploitVendor Advisory
FAQ
What is CVE-2025-68112?
CVE-2025-68112 is a vulnerability with a CVSS score of 9.6 (CRITICAL). ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL...
How severe is CVE-2025-68112?
CVE-2025-68112 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-68112?
Check the references section above for vendor advisories and patch information. Affected products include: Churchcrm Churchcrm.