Cyber Resilience

CVE-2025-1133

CriticalPublic PoC

Published: 19 February 2025

Published
19 February 2025
Modified
25 February 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:H/U:Red
EPSS Score 0.0018 39.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1133 is a critical-severity SQL Injection (CWE-89) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); ranked at the 39.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-1133 is a boolean-based blind SQL injection vulnerability affecting ChurchCRM versions 5.13.0 and prior. The issue exists in the EditEventAttendees functionality, where the EID parameter is directly concatenated into an SQL query without proper sanitization, enabling attackers to execute arbitrary SQL queries.

This vulnerability requires Administrator privileges for exploitation and can be triggered over the network with low attack complexity and no user interaction. A successful attack allows data exfiltration, modification, or deletion, with high impacts on confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Mitigation details are available in the referenced advisory at https://github.com/ChurchCRM/CRM/issues/7252.

EU & UK References

Vulnerability details

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based blind SQL Injection vulnerability in the EditEventAttendees functionality. The EID parameter is directly concatenated into an SQL query without…

more

proper sanitization, making it susceptible to SQL injection attacks. An attacker can manipulate the query, potentially leading to data exfiltration, modification, or deletion. Please note that this vulnerability requires Administrator privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

The SQL injection vulnerability in ChurchCRM enables arbitrary SQL query execution with admin privileges, facilitating database data collection (T1213.006), stored data manipulation via updates/inserts (T1565.001), and data destruction via deletes (T1485).

CVEs Like This One

CVE-2025-1134Same product: Churchcrm Churchcrm
CVE-2025-1023Same product: Churchcrm Churchcrm
CVE-2025-1135Same product: Churchcrm Churchcrm
CVE-2026-39343Same product: Churchcrm Churchcrm
CVE-2026-39329Same product: Churchcrm Churchcrm
CVE-2026-24854Same product: Churchcrm Churchcrm
CVE-2026-39319Same product: Churchcrm Churchcrm
CVE-2026-39340Same product: Churchcrm Churchcrm
CVE-2026-39342Same product: Churchcrm Churchcrm
CVE-2026-39325Same product: Churchcrm Churchcrm

Affected Assets

churchcrm
churchcrm
≤ 5.13.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection attacks by requiring validation and sanitization of the EID parameter before concatenation into SQL queries in the EditEventAttendees functionality.

prevent

Ensures timely identification, reporting, and patching of the specific SQL injection flaw in ChurchCRM versions 5.13.0 and prior.

detect

Enables proactive detection of the boolean-based blind SQL injection vulnerability through regular vulnerability scanning of the EditEventAttendees functionality.

References