CVE 9.6 CRITICAL

ChurchCRM has SQL injection in EditEventAttendees.php_CVE-2025-68112

December 17, 2025 invoker category_cve

9.6 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Description

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potential system takeover. The vulnerability enables attackers to extract sensitive member data, authentication credentials, and financial information from the church management system. Version 6.5.3 contains a patch for the issue.

AI Analysis

SQL injection vulnerability in ChurchCRM's Event Attendee Editor

Basic Information

ID CVE-2025-68112

Source GitHub_M

Published Dec 17, 2025 at 21:38

Affected Product

Vendor ChurchCRM

Product CRM

Version < 6.5.3

Affected Versions ChurchCRM CRM < 6.5.3

CWE Classification

CWE-89

AI Assessment

AI Score 9.6 / 10

AI Severity Critical

Vendor ChurchCRM

Product ChurchCRM

Version < 6.5.3

References

github.com /ChurchCRM/CRM/security/advisories/GHSA-hxf4-3vhp-wqcq

{
    "lastseen": "",
    "description": "ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potential system takeover. The vulnerability enables attackers to extract sensitive member data, authentication credentials, and financial information from the church management system. Version 6.5.3 contains a patch for the issue.",
    "published": "2025-12-17T21:38:24.086Z",
    "modified": "2025-12-17T21:38:24.086Z",
    "type": "cve",
    "title": "ChurchCRM has SQL injection in EditEventAttendees.php",
    "source": "GitHub_M",
    "references": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hxf4-3vhp-wqcq",
    "id": "CVE-2025-68112",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "ChurchCRM CRM < 6.5.3",
    "sourceHref": "",
    "cvss": {
        "score": 9.6,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "CRM",
    "version": "< 6.5.3",
    "vendor": "ChurchCRM",
    "ai_description": "SQL injection vulnerability in ChurchCRM's Event Attendee Editor",
    "ai_severity": "Critical",
    "ai_vendor": "ChurchCRM",
    "ai_product": "ChurchCRM",
    "ai_version": "< 6.5.3",
    "ai_score": 9.6
}

💭 Join the Security Discussion ❌ Cancel Reply