CVE-2026-24854

HIGH

ChurchCRM < 6.7.2 - Authenticated SQL Injection via PaddleNumEditor.php PerID Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-24854. PoCs published by XiaomingX, mbanyamer.

AI-analyzed exploit summary This repository contains a functional SQL injection exploit for CVE-2025-10042, targeting WordPress Quiz Maker plugin versions <= 6.7.0.56. The exploit uses time-based blind SQLi to extract admin credentials and hashes.

Description

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2 contains a patch for the issue.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-24854

View Code ZIP pw:eip

This repository contains a functional SQL injection exploit for CVE-2025-10042, targeting WordPress Quiz Maker plugin versions <= 6.7.0.56. The exploit uses time-based blind SQLi to extract admin credentials and hashes.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WordPress Quiz Maker <= 6.7.0.56

No auth needed

Prerequisites: target WordPress URL · path to quiz page · vulnerable header for injection

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by mbanyamer · poc

https://github.com/mbanyamer/CVE-2026-24854-ChurchCRM-6.7.2-Authenticated-Numeric-SQL-Injection

View Code ZIP pw:eip

This is a functional PoC for CVE-2026-24854, demonstrating an authenticated numeric SQL injection in ChurchCRM < 6.7.2. It manipulates the 'PerID' parameter to bypass SQL logic, enabling unauthorized modifications to database records.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: ChurchCRM < 6.7.2

Auth required

Prerequisites: Authenticated access to ChurchCRM · Valid session credentials · Network access to the target application

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p3q7-q68q-h2gr

Patch x_refsource_misc

http://github.com/ChurchCRM/CRM/commit/748f5084fc06c5e12463dc7fdd62d1d31fc08d38

View Patch ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0035

EPSS Percentile 26.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-89

Status published

Products (1)

churchcrm/churchcrm < 6.7.2

Published Jan 30, 2026

Tracked Since Feb 18, 2026