CVE-2025-1133
Published: 19 February 2025
Summary
CVE-2025-1133 is a high-severity SQL Injection (CWE-89) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); ranked at the 38.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection attacks by requiring validation and sanitization of the EID parameter before concatenation into SQL queries in the EditEventAttendees functionality.
Ensures timely identification, reporting, and patching of the specific SQL injection flaw in ChurchCRM versions 5.13.0 and prior.
Enables proactive detection of the boolean-based blind SQL injection vulnerability through regular vulnerability scanning of the EditEventAttendees functionality.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SQL injection vulnerability in ChurchCRM enables arbitrary SQL query execution with admin privileges, facilitating database data collection (T1213.006), stored data manipulation via updates/inserts (T1565.001), and data destruction via deletes (T1485).
NVD Description
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based blind SQL Injection vulnerability in the EditEventAttendees functionality. The EID parameter is directly concatenated into an SQL query without…
more
proper sanitization, making it susceptible to SQL injection attacks. An attacker can manipulate the query, potentially leading to data exfiltration, modification, or deletion. Please note that this vulnerability requires Administrator privileges.
Deeper analysisAI
CVE-2025-1133 is a boolean-based blind SQL injection vulnerability affecting ChurchCRM versions 5.13.0 and prior. The issue exists in the EditEventAttendees functionality, where the EID parameter is directly concatenated into an SQL query without proper sanitization, enabling attackers to execute arbitrary SQL queries.
This vulnerability requires Administrator privileges for exploitation and can be triggered over the network with low attack complexity and no user interaction. A successful attack allows data exfiltration, modification, or deletion, with high impacts on confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Mitigation details are available in the referenced advisory at https://github.com/ChurchCRM/CRM/issues/7252.
Details
- CWE(s)