CVE-2025-1132
Published: 19 February 2025
Summary
CVE-2025-1132 is a high-severity SQL Injection (CWE-89) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents time-based blind SQL injection by validating and sanitizing the EN_tyid parameter before insertion into SQL queries.
Remediates the specific SQL injection flaw in ChurchCRM's EditEventAttendees.php through timely patching.
Scans for vulnerabilities like the time-based blind SQLi in the EN_tyid parameter to enable proactive identification and remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The time-based blind SQL injection vulnerability in the ChurchCRM web application enables exploitation of a public-facing application (T1190) and facilitates collection of sensitive data from databases (T1213.006).
NVD Description
A time-based blind SQL Injection vulnerability exists in the ChurchCRM 5.13.0 and prior EditEventAttendees.php within the EN_tyid parameter. The parameter is directly inserted into an SQL query without proper sanitization, allowing attackers to inject malicious SQL commands. Please note that…
more
the vulnerability requires Administrator permissions. This flaw can potentially allow attackers to delay the response, indicating the presence of an SQL injection vulnerability. While it is a time-based blind injection, it can be exploited to gain insights into the underlying database, and with further exploitation, sensitive data could be retrieved.
Deeper analysisAI
CVE-2025-1132 is a time-based blind SQL injection vulnerability (CWE-89) in ChurchCRM versions 5.13.0 and prior. The flaw exists in the EditEventAttendees.php component, where the EN_tyid parameter is directly inserted into an SQL query without proper sanitization. This allows injection of malicious SQL commands. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires administrator permissions. A malicious actor with admin access can supply crafted input via the EN_tyid parameter to introduce SQL payloads that delay database responses, enabling detection of the vulnerability through timing analysis. As a time-based blind injection, it permits attackers to infer underlying database details and, through further exploitation, potentially retrieve sensitive data.
Mitigation details are available in the GitHub issue at https://github.com/ChurchCRM/CRM/issues/7251.
Details
- CWE(s)