CVE-2025-1133— SQL Injection in ChurchCRM EID Parameter via EditEventAttendees.php
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-1133
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
SQL Injection in ChurchCRM EID Parameter via EditEventAttendees.php
Source: NVD (National Vulnerability Database)
Vulnerability Description
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based blind SQL Injection vulnerability in the EditEventAttendees functionality. The EID parameter is directly concatenated into an SQL query without proper sanitization, making it susceptible to SQL injection attacks. An attacker can manipulate the query, potentially leading to data exfiltration, modification, or deletion. Please note that this vulnerability requires Administrator privileges.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
ChurchCRM 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
ChurchCRM是ChurchCRM开源的一个为教会打造的开源 CRM 系统。 ChurchCRM 5.13.0及之前版本存在安全漏洞,该漏洞源于EID参数未经适当清理就直接连接到SQL查询中,容易受到SQL注入攻击,攻击者可以利用EditEventAttendees功能中基于布尔的盲SQL注入漏洞来执行任意SQL查询。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-1133
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-1133
请登录查看更多情报信息。
Same Patch Batch · ChurchCRM · 2025-02-19 · 5 CVEs total
| CVE-2025-1024 | Session Hijacking via Reflected Cross-Site Scripting (XSS) in ChurchCRM EditEventAttendees | |
| CVE-2025-1132 | SQL Injection in ChurchCRM EN_tyid Parameter via EditEventAttendees.php | |
| CVE-2025-1134 | SQL Injection in ChurchCRM CurrentFundraiser Parameter via DonatedItemEditor.php | |
| CVE-2025-1135 | SQL Injection in ChurchCRM CurrentFundraiser Parameter via BatchWinnerEntry.php |
IV. Related Vulnerabilities
Same product: ChurchCRM
- CVE-2025-11939
ChurchCRM Backup Restore RestoreJob.php path traversal - CVE-2025-11938
ChurchCRM setup.php deserialization - CVE-2025-11529
ChurchCRM API Endpoint AuthMiddleware.php AuthMiddleware mis - CVE-2025-3954
ChurchCRM Referer server-side request forgery - CVE-2025-1135
SQL Injection in ChurchCRM CurrentFundraiser Parameter via B
Same vendor: ChurchCRM
- CVE-2026-40593
ChurchCRM: Stored XSS in UserEditor.php via Login Name Field - CVE-2026-40581
ChurchCRM: Cross-Site Request Forgery (CSRF) in SelectDelete - CVE-2026-40485
ChurchCRM: Username Enumeration via Differential Response in - CVE-2026-40484
ChurchCRM: Authenticated Remote Code Execution via Unrestric - CVE-2026-40483
ChurchCRM: Stored XSS in PledgeEditor.php via Donation Comme
Same weakness: CWE-89
- CVE-2021-47941
WordPress Plugin Survey & Poll 1.5.7.3 SQL Injection via sss - CVE-2021-47930
Balbooa Joomla Forms Builder 2.0.6 SQL Injection Unauthentic - CVE-2021-47928
Opencart TMD Vendor System 3.x Blind SQL Injection via produ - CVE-2026-8231
CodeAstro Online Catering Ordering System deleteorder.php sq - CVE-2025-14179
SQL injection in pdo_firebird via NUL bytes in quoted string
V. Comments for CVE-2025-1133
No comments yet