CVE-2024-25897

CRITICAL

ChurchCRM 5.5.0 - Blind SQL Injection via CurrentFundraiser GET Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-25897. PoCs published by i-100-user.

AI-analyzed exploit summary This Python script exploits CVE-2024-25897 in Jenkins by downloading the jenkins-cli.jar file and executing a payload to connect a node. It requires the target IP, port, and a file path as arguments.

Description

ChurchCRM 5.5.0 FRCatalog.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter.

Exploits (1)

nomisec WORKING POC 2 stars

by i-100-user · poc

https://github.com/i-100-user/CVE-2024-25897

View Code ZIP pw:eip

This Python script exploits CVE-2024-25897 in Jenkins by downloading the jenkins-cli.jar file and executing a payload to connect a node. It requires the target IP, port, and a file path as arguments.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Jenkins

No auth needed

Prerequisites: Network access to the Jenkins server · Jenkins server with the vulnerability

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Issue Tracking, Vendor Advisory

https://github.com/ChurchCRM/CRM/issues/6856

Scores

CVSS v3 9.8

EPSS 0.0155

EPSS Percentile 71.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-89

Status published

Products (1)

churchcrm/churchcrm 5.5.0

Published Feb 21, 2024

Tracked Since Feb 18, 2026