CVE-2025-66396

ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the src/UserEditor.php file. When an administrator saves a user's configuration settings, the keys of the type POST parameter array are not properly sanitized or type-casted before being used in multiple SQL queries. This allows a malicious or compromised administrator account to execute arbitrary SQL commands, including time-based blind SQL injection attacks, to directly interact with the database. The vulnerability is located in src/UserEditor.php within the logic that handles saving user-specific configuration settings. The type parameter from the POST request is processed as an array. The code iterates through this array and uses key($type) to extract the array key, which is expected to be a numeric ID. This key is then assigned to the $id variable. The $id variable is subsequently concatenated directly into a SELECT and an UPDATE SQL query without