CVE 8.8 HIGH

SQL Injection in Event List via `WhichType` Parameter_CVE-2025-66395

December 17, 2025 invoker category_cve
8.8 / 10
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/ListEvents.php` file. When filtering events by type, the `WhichType` POST parameter is not properly sanitized or type-casted before being used in multiple SQL queries. This allows any authenticated user to execute arbitrary SQL commands, including time-based blind SQL injection attacks. Any authenticated user, regardless of their privilege level, can execute arbitrary queries on the database. This could allow them to exfiltrate, modify, or delete any data in the database, including user credentials, financial data, and personal information, leading to a full compromise of the application's data. Version 6.5.3 fixes the issue.

AI Analysis

SQL injection vulnerability in ChurchCRM's event list via the `WhichType` parameter, allowing authenticated users to execute arbitrary SQL commands

Basic Information

ID CVE-2025-66395
Source GitHub_M
Published Dec 17, 2025 at 19:04
Modified Dec 17, 2025 at 19:28

Affected Product

Vendor ChurchCRM
Product CRM
Version < 6.5.3
Affected Versions ChurchCRM CRM < 6.5.3

CWE Classification

CWE-89

AI Assessment

AI Score 8.8 / 10
AI Severity High
Vendor ChurchCRM
Product ChurchCRM CRM
Version < 6.5.3

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.