Primary

Context

ChurchCRM Pre-Authentication Remote Code Execution Vulnerability in Setup Wizard

Vulnerability

Patched

A pre-authentication remote code execution vulnerability exists in ChurchCRM versions prior to 7.3.2. The issue arises in the setup wizard, where the 'DB_PASSWORD' field is not properly sanitized. This vulnerability allows an attacker to execute arbitrary operating system commands by injecting a payload into the 'DB_PASSWORD' field, which is then processed by the application.

Impact

Exploitation of this vulnerability allows for full server compromise, with executed commands running as the 'www-data' user.

Reproduction

The vulnerability can be reproduced by accessing the ChurchCRM setup wizard without authentication. After injecting a payload into the 'DB_PASSWORD' field, the 'Config.php' file is loaded, executing the injected command. This can be automated with a Python script that interacts with the setup wizard and captures the output of the executed commands.

Remediation

Users are advised to update to ChurchCRM version 7.3.2 or later.

Added: May 12, 2026, 11:22 PM

Updated: May 12, 2026, 11:22 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

10.0

exploitability

9.5

remediation

7.7

relevance

8.1

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

10.0

exploitability

9.5

remediation

7.7

relevance

8.1

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ChurchCRM Pre-Authentication Remote Code Execution Vulnerability in Setup Wizard

Vulnerability

Impact

Reproduction

Remediation

Affected Products

ChurchCRM

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating