CVE-2025-1132

CVSS 3.1 Score 8.8 of 10 (high)

Details

Published Feb 19, 2025

Updated: Feb 25, 2025

CWE ID 89

Summary

CVE-2025-1132 is a time-based blind SQL Injection vulnerability affecting ChurchCRM 5.13.0 and earlier versions, specifically the EditEventAttendees.php script. The EN_tyid parameter, which is inserted into an SQL query without proper sanitization, enables attackers with Administrator permissions to inject malicious SQL commands. This vulnerability can lead to delayed response times, potentially signaling the presence of an SQL injection flaw. Although it's a time-based blind injection, it grants insights into the underlying database, posing a risk for the extraction of sensitive information with further exploitation.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

Churchcrm

Advisories, Assessments, and Mitigations

Back to Vulnerability Database