CVE-2025-1133 CRITICAL

CVE-2025-1133: SQL Injection in ChurchCRM EID Parameter via EditEventAttendees.php

Vendor Churchcrm

Product ChurchCRM

Weakness CWE-89 · SQLi

Published February 19, 2025

Last update February 19, 2025

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H/AU:Y/R:U/V:C/RE:H/U:Red

What the vulnerability does

01Description

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based blind SQL Injection vulnerability in the EditEventAttendees functionality. The EID parameter is directly concatenated into an SQL query without proper sanitization, making it susceptible to SQL injection attacks. An attacker can manipulate the query, potentially leading to data exfiltration, modification, or deletion. Please note that this vulnerability requires Administrator privileges.

Key dates

02Disclosure timeline

February 19, 2025 CVE published

February 19, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-1133 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities

CVE-2025-1133: SQL Injection in ChurchCRM EID Parameter via EditEventAttendees.php

01Description

02Disclosure timeline

03References

04Related CVE