Volerion logoVolerion
Volerion logoVolerion

ChurchCRM SQL Injection Vulnerability in Financial Service

Vulnerability

A SQL injection vulnerability has been identified in ChurchCRM, an open-source church management system, in versions prior to 7.2.0. The issue arises in the FinancialService::getMemberByScanString() method, where unsanitized data is concatenated into raw SQL queries. This vulnerability allows for authenticated SQL injection through the API endpoint '/api/families/byCheckNumber/{scanString}'.

Impact

Exploitation of this vulnerability allows for authenticated SQL injection, enabling attackers to manipulate SQL queries and potentially access or modify database information.

Reproduction

To reproduce this vulnerability, send a request to the '/api/families/byCheckNumber/{scanString}' endpoint with a crafted scan string that includes SQL injection payloads. The injection will occur through the '$routeAndAccount' parameter, which is not properly sanitized before being added to the SQL query.

Remediation

Users can upgrade to ChurchCRM version 7.2.0 or later, where this vulnerability has been patched.

Added: Apr 18, 2026, 12:21 AM
Updated: Apr 18, 2026, 12:21 AM

Vulnerability Rating

Custom Algorithm
spread
1.9
impact
2.5
exploitability
6.3
remediation
7.7
relevance
6.4
threat
4.8
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.