CVE-2025-68112

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potential system takeover. The vulnerability enables attackers to extract sensitive member data, authentication credentials, and financial information from the church management system. Version 6.5.3 contains a patch for the issue.

CVSS v3 9.6 CRITICAL

9.6^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hxf4-3vhp-wqcq	Exploit Vendor Advisory
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hxf4-3vhp-wqcq	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

History

18 Dec 2025, 18:28

Type	Values Removed	Values Added
References	~~() https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hxf4-3vhp-wqcq -~~	() https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hxf4-3vhp-wqcq - Exploit, Vendor Advisory
First Time		Churchcrm churchcrm Churchcrm
CPE		cpe:2.3:a:churchcrm:churchcrm::::::::

18 Dec 2025, 15:16

Type	Values Removed	Values Added
References	~~() https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hxf4-3vhp-wqcq -~~	() https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hxf4-3vhp-wqcq -

17 Dec 2025, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-17 22:16

Updated : 2025-12-18 18:28

NVD link : CVE-2025-68112

Mitre link : CVE-2025-68112

CVE.ORG link : CVE-2025-68112

JSON object : View

Products Affected

churchcrm

churchcrm

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2025-68112", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2025-12-17T22:16:01.240", "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hxf4-3vhp-wqcq", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hxf4-3vhp-wqcq", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potential system takeover. The vulnerability enables attackers to extract sensitive member data, authentication credentials, and financial information from the church management system. Version 6.5.3 contains a patch for the issue."}], "lastModified": "2025-12-18T18:28:00.853", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5B1435CA-1370-4154-85E0-6AF1846DEEBD", "versionEndExcluding": "6.5.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}