CVE-2025-62521 | ChurchCRM is an open-source church management system. Prior … | CVSS 10.0 CRITICAL

Description

ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The vulnerability exists in `setup/routes/setup.php` where user input from the setup form is directly concatenated into a PHP configuration template without any validation or sanitization. Any parameter in the setup form can be used to inject PHP code that gets written to `Include/Config.php`, which is then executed on every page load. This is more severe than typical authenticated RCE vulnerabilities because it requires no credentials and affects the installation process that administrators must complete. Version 5.21.0 patches the issue.

Metadata

CVE ID: CVE-2025-62521
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2025-10-15 15:03 UTC
Published: 2025-12-17 19:03 UTC
Last updated: 2025-12-17 19:30 UTC
Primary CWE: CWE-94
CWE-94: Improper Control of Generation of Code ('Code Inject…
Vendor / Product: ChurchCRM / CRM
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
ChurchCRM	CRM	—	< 5.21.0

Weakness (CWE)

CWE	Source	Description
CWE-94	cna	CWE-94: Improper Control of Generation of Code ('Code Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (1)

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-m8jq-j3p9-2xf3 https://github.com/ChurchCRM/CRM/security/advisories/GHSA-m8jq-j3p9-2xf3