CVE-2021-3164

HIGH

ChurchRota 2.6.4 - Authenticated Remote Code Execution via File Upload

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-3164. PoCs published by rmccarth.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-3164, demonstrating authenticated remote code execution in Church Rota 2.6.4 via file upload vulnerability. The exploit includes a Python script that automates login, file upload, and payload execution.

Description

ChurchRota 2.6.4 is vulnerable to authenticated remote code execution. The user does not need to have file upload permission in order to upload and execute an arbitrary file via a POST request to resources.php.

Exploits (1)

nomisec WORKING POC 2 stars

by rmccarth · poc

https://github.com/rmccarth/cve-2021-3164

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-3164, demonstrating authenticated remote code execution in Church Rota 2.6.4 via file upload vulnerability. The exploit includes a Python script that automates login, file upload, and payload execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Church Rota 2.6.4

Auth required

Prerequisites: Valid credentials for Church Rota · Network access to the target

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory x_refsource_misc

https://github.com/Little-Ben/ChurchRota

View Writeup ZIP pw:eip

Exploit, Third Party Advisory x_refsource_misc

https://github.com/rmccarth/cve-2021-3164

Scores

CVSS v3 8.8

EPSS 0.0415

EPSS Percentile 89.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

churchdesk/churchrota 2.6.4

Published Jan 26, 2021

Tracked Since Feb 18, 2026