CVE-2025-68109

CRITICAL

Churchcrm < 6.5.3 - Remote Code Execution

Title source: rule

Description

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.

Exploits (1)

metasploit WORKING POC NORMAL

by LucasCsmt · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/churchcrm_db_restore_rce.rb

View Code ZIP pw:eip

References (1)

[Exploit, Vendor Advisory] https://github.com/ChurchCRM/CRM/security/advisories/GHSA-pqm7-g8px-9r77

Scores

CVSS v3 9.1

EPSS 0.2544

EPSS Percentile 96.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-552 CWE-915 CWE-78 CWE-494 CWE-434

Status published

Products (1)

churchcrm/churchcrm < 6.5.3

Published Dec 17, 2025

Tracked Since Feb 18, 2026