CVE-2025-1023
Published: 18 February 2025
Summary
CVE-2025-1023 is a critical-severity SQL Injection (CWE-89) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
ChurchCRM versions 5.13.0 and prior are affected by a time-based blind SQL injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without sanitization, allowing construction of arbitrary database queries under CWE-89.
An authenticated user with administrative privileges can exploit the flaw remotely to execute crafted SQL statements, resulting in data exfiltration, modification, or deletion. The CVSS 9.3 rating reflects network attack vector, low complexity, and high impact across confidentiality, integrity, and availability with no user interaction required.
The single reference points to a GitHub issue opened for the vulnerability, though no specific patch or mitigation guidance is detailed in the available information. The EPSS score has remained flat at 0.0275 with no material rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4527
Vulnerability details
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without…
more
proper sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in web application (ChurchCRM) enables exploitation of public-facing app (T1190), data collection from databases (T1213.006), stored data manipulation (T1565.001), and data destruction (T1485) via arbitrary SQL queries for exfiltration, modification, or deletion.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the newCountName input parameter to prevent time-based blind SQL injection in the EditEventTypes functionality.
Mandates identification, reporting, and correction of the specific SQL injection flaw in ChurchCRM 5.13.0 and prior versions.
Vulnerability scanning would identify the time-based blind SQL injection vulnerability in the affected ChurchCRM application.