CVE-2025-1135

9.3

Critical

Published:19 Feb 2025

Last updated:17 Jun 2026

Source:b7efe717-a805-47cf-8e9a-921fca0ce0ce

Analyzed

Weakness (CWE)

CWE-89SQL Injection

CVSS Vector

v4.0

Attack Vector: Network
Attack Complexity: Low
Attack Requirements: None
Privileges Required: High
User Interaction: None
Confidentiality (Vulnerable): High
Integrity (Vulnerable): High
Availability (Vulnerable): High
Confidentiality (Subsequent): High
Integrity (Subsequent): Low
Availability (Subsequent): High

View on MITRE Find PoC on GitHub

Description

A vulnerability exists in ChurchCRM 5.13.0. and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the BatchWinnerEntry functionality. The CurrentFundraiser parameter is directly concatenated into an SQL query without sufficient sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion. Please note the vulnerability requires Administrator privileges.

References

b7efe717-a805-47cf-8e9a-921fca0ce0ce

https://github.com/ChurchCRM/CRM/issues/7254