CVE-2025-11938 MEDIUM

CVE-2025-11938: ChurchCRM setup.php deserialization

Vendor N/A
Product ChurchCRM
Weakness CWE-502 · Unsafe deserialization
Published October 19, 2025
Last update February 24, 2026
View on NVD All CVEs

CVSS base score

6.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing a manipulation of the argument DB_PASSWORD/ROOT_PATH/URL results in deserialization. The attack may be initiated remotely. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

October 19, 2025 CVE published
February 24, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-1714 Bitrix24 Remote Command Execution (RCE) via Unsafe Variable Extraction CVE-2025-26967 WordPress Events Calendar for GeoDirectory plugin <= 2.3.14 - PHP Object Injection vulnerability CVE-2025-53299 WordPress ThemeMakers Visual Content Composer Plugin <= 1.5.8 - PHP Object Injection Vulnerability CVE-2025-64408 Apache Causeway: Java deserialization vulnerability to authenticated attackers CVE-2024-7435 Attire <= 2.0.6 - Authenticated (Contributor+) PHP Object Injection