ChurchCRM setup.php deserialization_CVE-2025-11938

6.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Description

A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing manipulation of the argument DB_PASSWORD/ROOT_PATH/URL results in deserialization. The attack may be initiated remotely. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Basic Information

ID CVE-2025-11938

Source VulDB

Published Oct 19, 2025 at 07:32

Affected Product

Vendor n/a

Product ChurchCRM

Version 5.0

Affected Versions n/a ChurchCRM 5.0
n/a ChurchCRM 5.1
n/a ChurchCRM 5.2
n/a ChurchCRM 5.3
n/a ChurchCRM 5.4
n/a ChurchCRM 5.5
n/a ChurchCRM 5.6
n/a ChurchCRM 5.7
n/a ChurchCRM 5.8
n/a ChurchCRM 5.9
n/a ChurchCRM 5.10
n/a ChurchCRM 5.11
n/a ChurchCRM 5.12
n/a ChurchCRM 5.13
n/a ChurchCRM 5.14
n/a ChurchCRM 5.15
n/a ChurchCRM 5.16
n/a ChurchCRM 5.17
n/a ChurchCRM 5.18.0

CWE Classification

CWE-502 CWE-20

References

{
    "lastseen": "",
    "description": "A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing manipulation of the argument DB_PASSWORD/ROOT_PATH/URL results in deserialization. The attack may be initiated remotely. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.",
    "published": "2025-10-19T07:32:05.836Z",
    "modified": "2025-10-19T07:32:05.836Z",
    "type": "cve",
    "title": "ChurchCRM setup.php deserialization",
    "source": "VulDB",
    "references": "https://vuldb.com/?id.329014\nhttps://vuldb.com/?ctiid.329014\nhttps://vuldb.com/?submit.671083\nhttps://github.com/uartu0/advisories/blob/main/churchcrm-setup-rce-2025.md",
    "id": "CVE-2025-11938",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502",
        "CWE-20"
    ],
    "cvelist": null,
    "sourceData": "n/a ChurchCRM 5.0\nn/a ChurchCRM 5.1\nn/a ChurchCRM 5.2\nn/a ChurchCRM 5.3\nn/a ChurchCRM 5.4\nn/a ChurchCRM 5.5\nn/a ChurchCRM 5.6\nn/a ChurchCRM 5.7\nn/a ChurchCRM 5.8\nn/a ChurchCRM 5.9\nn/a ChurchCRM 5.10\nn/a ChurchCRM 5.11\nn/a ChurchCRM 5.12\nn/a ChurchCRM 5.13\nn/a ChurchCRM 5.14\nn/a ChurchCRM 5.15\nn/a ChurchCRM 5.16\nn/a ChurchCRM 5.17\nn/a ChurchCRM 5.18.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ChurchCRM",
    "version": "5.0",
    "vendor": "n/a",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}