CVE-2025-11938 is a deserialization vulnerability identified in ChurchCRM, an open-source church management software, affecting all versions up to 5.18.0. The vulnerability exists in the setup/routes/setup.php file, where manipulation of certain parameters—specifically DB_PASSWORD, ROOT_PATH, or URL—can lead to unsafe deserialization of untrusted data. Deserialization vulnerabilities occur when untrusted input is deserialized without proper validation, potentially allowing attackers to execute arbitrary code, alter application logic, or cause denial of service. In this case, the vulnerability can be triggered remotely without authentication or user interaction, but the attack complexity is rated as high, indicating that exploitation requires advanced skills or specific conditions. The CVSS 4.0 score is 6.3 (medium severity), reflecting limited confidentiality, integrity, and availability impacts with no privileges or user interaction needed but high attack complexity. Although an exploit has been publicly disclosed, there are no confirmed reports of active exploitation in the wild. The vendor has not responded to early disclosure attempts, and no official patches have been released yet. This vulnerability poses a risk to organizations relying on ChurchCRM for managing sensitive community and member data, as exploitation could lead to unauthorized access or disruption of services.

For European organizations, particularly religious institutions, charities, and community groups using ChurchCRM, this vulnerability could lead to unauthorized access to sensitive member data, manipulation of database credentials, or disruption of service availability. The deserialization flaw could allow attackers to execute arbitrary code or escalate privileges, potentially compromising the confidentiality and integrity of stored information. Given the remote exploitability without authentication, attackers could target exposed ChurchCRM installations over the internet. Although exploitation complexity is high, motivated threat actors could leverage this vulnerability to disrupt community operations or harvest personal data, which may include sensitive religious affiliations or contact information. This could have reputational and legal consequences under European data protection regulations such as GDPR. The lack of vendor response and absence of patches increases the risk exposure until mitigations are applied.

1. Immediately restrict external access to the ChurchCRM setup interface, ideally limiting it to trusted internal networks or VPNs. 2. Implement strict input validation and sanitization on all parameters, especially DB_PASSWORD, ROOT_PATH, and URL, to prevent malicious serialized data from being processed. 3. Disable or replace any unsafe deserialization mechanisms in the affected setup/routes/setup.php file. 4. Monitor logs and network traffic for unusual activity indicative of exploitation attempts, such as unexpected serialized payloads or anomalous requests to setup routes. 5. If possible, upgrade to a patched version once the vendor releases a fix; meanwhile, consider applying community or third-party patches or workarounds. 6. Conduct a security review of ChurchCRM deployments to identify exposed instances and apply network-level protections such as web application firewalls (WAFs) with custom rules targeting deserialization attack patterns. 7. Educate administrators about the risks and signs of exploitation to enable rapid detection and response. 8. Regularly back up ChurchCRM data and configuration to enable recovery in case of compromise.