ChurchCRM Pre-Authentication Remote Code Execution Vulnerability in Setup Wizard

A critical remote code execution vulnerability has been identified in ChurchCRM, an open-source church management system, in versions prior to 7.1.0. This vulnerability exists in the setup wizard, where unauthenticated attackers can inject arbitrary PHP code during the initial installation process. The issue arises because the '$dbPassword' variable is not properly sanitized, allowing for exploitation that could lead to complete server compromise. This vulnerability is a result of an incomplete fix for CVE-2025-62521.

Impact

Exploitation of this vulnerability allows for pre-authentication remote code execution, leading to full compromise of the affected server.

Reproduction

The vulnerability can be reproduced by using the Metasploit module developed for this specific issue, or by following the proof of concept described in the previous security advisory GHSA-m8jq-j3p9-2xf3. The Metasploit module requires Docker, a Linux machine, and the latest version of Metasploit. After setting up a Docker container with ChurchCRM version 7.0.2, the Metasploit module can be executed to inject a backdoor into the application, which is then used to gain a Meterpreter session on the compromised server.

Remediation

Users can upgrade to ChurchCRM version 7.1.0 or later, where this vulnerability has been patched.