CVE-2026-42289
HIGH EPSS 2.8%
Published May 12, 20261mo ago · Modified Jun 17, 20261w ago
8.8 CVSS 3.1
Published May 12, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago
Description
ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when visited by an authenticated administrator, silently elevates any low-privilege user to full administrator or creates a new admin backdoor account without the victim's knowledge This vulnerability is fixed in 7.3.2.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
2.8% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 3
CWE-269 Improper Privilege Management Authorization
CWE-306 Missing Authentication for Critical Function Authentication
CWE-352 Cross-Site Request Forgery (CSRF) Authentication
References 1
- github.com https://github.com/ChurchCRM/CRM/security/advisories/GHSA-3xq9-c86x-cwpp
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.