CVE-2025-1132

CRITICAL EPSS 41.1%

Published Feb 19, 20251y ago · Modified Jun 17, 20261w ago

9.3 CVSS 4.0

Critical

Published Feb 19, 2025 1y ago

Last Modified Jun 17, 2026 1w ago

Description

A time-based blind SQL Injection vulnerability exists in the ChurchCRM 5.13.0 and prior EditEventAttendees.php within the EN_tyid parameter. The parameter is directly inserted into an SQL query without proper sanitization, allowing attackers to inject malicious SQL commands. Please note that the vulnerability requires Administrator permissions. This flaw can potentially allow attackers to delay the response, indicating the presence of an SQL injection vulnerability. While it is a time-based blind injection, it can be exploited to gain insights into the underlying database, and with further exploitation, sensitive data could be retrieved.

CVSS Details

Base Score

9.3

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:H/U:Red

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

41.1% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-89 SQL Injection Injection

Affected Products 1

Vendor	Product	Version	Range
churchcrm	churchcrm	*	≤5.13.0

References 1

github.com https://github.com/ChurchCRM/CRM/issues/7251

ExploitIssue TrackingThird Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.