CVE-2025-62521— ChurchCRM has unauthenticated RCE in its Install Wizard
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-62521
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ChurchCRM has unauthenticated RCE in its Install Wizard
Source: NVD (National Vulnerability Database)
Vulnerability Description
ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The vulnerability exists in `setup/routes/setup.php` where user input from the setup form is directly concatenated into a PHP configuration template without any validation or sanitization. Any parameter in the setup form can be used to inject PHP code that gets written to `Include/Config.php`, which is then executed on every page load. This is more severe than typical authenticated RCE vulnerabilities because it requires no credentials and affects the installation process that administrators must complete. Version 5.21.0 patches the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
ChurchCRM 代码注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
ChurchCRM是ChurchCRM开源的一个为教会打造的开源 CRM 系统。 ChurchCRM 5.21.0之前版本存在代码注入漏洞,该漏洞源于安装向导中用户输入未经验证直接写入配置文件,可能导致远程代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
II. Public POCs for CVE-2025-62521
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-62521
请登录查看更多情报信息。
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-m8jq-j3p9-2xf3x_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2025-62521
Same Patch Batch · ChurchCRM · 2025-12-17 · 15 CVEs total
| CVE-2025-68110 | 10.0 CRITICAL | ChurchCRM discloses database information on error message |
| CVE-2025-68112 | 9.6 CRITICAL | ChurchCRM has SQL injection in EditEventAttendees.php |
| CVE-2025-68109 | 9.1 CRITICAL | ChurchCRM vulnerable to RCE with database restore functionality |
| CVE-2025-66395 | 8.8 HIGH | SQL Injection in Event List via `WhichType` Parameter |
| CVE-2025-66397 | 8.3 HIGH | ChurchCRM's Kiosk Manager Functions are vulnerable to Broken Access Control |
| CVE-2025-66396 | 7.2 HIGH | ChurchCRM has SQL Injection in User Editor via `type` Parameter Key |
| CVE-2025-68111 | 7.2 HIGH | ChurchCRM has SQL Injection in eGive Import Feature |
| CVE-2025-67876 | ChurchCRM has Stored XSS in Group Role Name Leading to Admin Session Hijacking | |
| CVE-2025-67875 | ChurchCRM has stored XSS via Person Property Assignment Leading to Admin Session Hijacking | |
| CVE-2025-67877 | ChurchCRM SQL Injection Vulnerability | |
| CVE-2025-68399 | ChurchCRM has Stored Cross-Site Scripting (XSS) In GroupEditor.php | |
| CVE-2025-68401 | ChurchCRM has Stored Cross-Site Scripting (XSS) vulnerability that leads to session theft | |
| CVE-2025-68400 | ChurchCRM vulnerable to time-based blind SQL Injection in ConfirmReportEmail.php | |
| CVE-2025-68275 | ChurchCRM vulnerable to Stored XSS - Group name > Person Listing |
IV. Related Vulnerabilities
Same product: CRM
- CVE-2026-40593
ChurchCRM: Stored XSS in UserEditor.php via Login Name Field - CVE-2026-40581
ChurchCRM: Cross-Site Request Forgery (CSRF) in SelectDelete - CVE-2026-40485
ChurchCRM: Username Enumeration via Differential Response in - CVE-2026-40484
ChurchCRM: Authenticated Remote Code Execution via Unrestric - CVE-2026-40483
ChurchCRM: Stored XSS in PledgeEditor.php via Donation Comme
Same vendor: ChurchCRM
- CVE-2026-40593
ChurchCRM: Stored XSS in UserEditor.php via Login Name Field - CVE-2026-40581
ChurchCRM: Cross-Site Request Forgery (CSRF) in SelectDelete - CVE-2026-40485
ChurchCRM: Username Enumeration via Differential Response in - CVE-2026-40484
ChurchCRM: Authenticated Remote Code Execution via Unrestric - CVE-2026-40483
ChurchCRM: Stored XSS in PledgeEditor.php via Donation Comme
Same weakness: CWE-94
- CVE-2021-47939
Evolution CMS 3.1.6 Authenticated Remote Code Execution via - CVE-2021-47938
ImpressCMS 1.4.2 Remote Code Execution via Autotasks - CVE-2021-47935
Sentry 8.2.0 Remote Code Execution via Pickle Deserializatio - CVE-2022-50944
Aero CMS 0.0.1 PHP Code Injection via posts.php - CVE-2026-8211
codelibs Fess JSP File AdminDesignAction.java update code in
V. Comments for CVE-2025-62521
No comments yet