CVE-2022-31325
HIGHChurchCRM 4.4.5 - SQL Injection via PersonID Parameter
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2022-31325. PoCs published by nu11secur1ty.
AI-analyzed exploit summary This exploit demonstrates SQL injection in ChurchCRM 4.4.5 via the 'PersonID' parameter in /churchcrm/WhyCameEditor.php. It includes boolean-based and time-based blind SQLi payloads.
Description
There is a SQL Injection vulnerability in ChurchCRM 4.4.5 via the 'PersonID' field in /churchcrm/WhyCameEditor.php.
Exploits (1)
exploitdb
WORKING POC
by nu11secur1ty · textwebappsphp
https://www.exploit-db.com/exploits/50965
This exploit demonstrates SQL injection in ChurchCRM 4.4.5 via the 'PersonID' parameter in /churchcrm/WhyCameEditor.php. It includes boolean-based and time-based blind SQLi payloads.
Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target:
ChurchCRM 4.4.5
No auth needed
Prerequisites:
Access to the vulnerable endpoint
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (4)
Core 4
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/ChurchCRM/CRM/issues/6005
Broken Link x_refsource_misc
https://www.nu11secur1ty.com/2022/06/cve-2022-31325.htm
Third Party Advisory x_refsource_misc
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-31325
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/167483/ChurchCRM-4.4.5-SQL-Injection.html
Scores
CVSS v3
7.2
EPSS
0.0485
EPSS Percentile
90.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (1)
churchcrm/churchcrm
4.4.5
Published
Jun 08, 2022
Tracked Since
Feb 18, 2026