CVE-2021-43258

HIGH

ChurchInfo 1.2.13-1.3.0 - Authenticated Remote Code Execution via Email Attachment Upload

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-43258. PoCs published by MRvirusIR, m4lwhere <[email protected]>, including Metasploit module exploits/multi/http/churchinfo_upload_exec.

AI-analyzed exploit summary This is a Metasploit module for CVE-2021-43258, exploiting a file upload vulnerability in ChurchInfo 1.2.13-1.3.0. It allows authenticated users to upload a malicious PHP file via a draft email attachment, leading to remote code execution.

Description

CartView.php in ChurchInfo 1.3.0 allows attackers to achieve remote code execution through insecure uploads. This requires authenticated access tot he ChurchInfo application. Once authenticated, a user can add names to their cart, and compose an email. Uploading an attachment for the email stores the attachment on the site in the /tmp_attach/ folder where it can be accessed with a GET request. There are no limitations on files that can be attached, allowing for malicious PHP code to be uploaded and interpreted by the server.

Exploits (2)

nomisec WORKING POC 2 stars

by MRvirusIR · poc

https://github.com/MRvirusIR/CVE-2021-43258

View Code ZIP pw:eip

This is a Metasploit module for CVE-2021-43258, exploiting a file upload vulnerability in ChurchInfo 1.2.13-1.3.0. It allows authenticated users to upload a malicious PHP file via a draft email attachment, leading to remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ChurchInfo 1.2.13-1.3.0

Auth required

Prerequisites: Valid credentials for ChurchInfo application · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1204 - User Execution T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

by m4lwhere <[email protected]> · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/churchinfo_upload_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an authenticated RCE vulnerability in ChurchInfo 1.2.13-1.3.0 by uploading a malicious PHP file as an email attachment, which is then accessible via the web server's /tmp_attach/ directory.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ChurchInfo 1.2.13-1.3.0

Auth required

Prerequisites: Valid credentials for ChurchInfo application · Access to the ChurchInfo web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1204 - User Execution T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Product

http://www.churchdb.org/

Exploit, Patch, Third Party Advisory

https://github.com/rapid7/metasploit-framework/pull/17257

Product

https://sourceforge.net/projects/churchinfo/files/

Scores

CVSS v3 8.8

EPSS 0.1052

EPSS Percentile 95.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

churchdb/churchinfo 1.2.13 - 1.3.0

Published Nov 23, 2022

Tracked Since Feb 18, 2026