CVE-2025-11938 is a medium-severity deserialization vulnerability affecting ChurchCRM versions 5.0 through 5.18.0. The flaw exists in the setup/routes/setup.php file, where manipulation of certain input parameters—specifically DB_PASSWORD, ROOT_PATH, or URL—can trigger unsafe deserialization of data. Deserialization vulnerabilities occur when untrusted data is processed by an application’s deserialization routines, potentially allowing attackers to execute arbitrary code, escalate privileges, or cause denial of service. In this case, the vulnerability can be exploited remotely without authentication or user interaction, although the attack complexity is rated high, indicating that exploitation requires significant skill or specific conditions. The CVSS 4.0 vector indicates network attack vector, high attack complexity, no privileges or user interaction needed, and low impact on confidentiality, integrity, and availability. The vendor was notified but has not responded or issued a patch, and no official patch links are available. While no known exploits are currently active in the wild, the public disclosure of the exploit code increases the risk of future attacks. ChurchCRM is a widely used open-source church management system, making this vulnerability relevant to many religious and community organizations globally.

If exploited, this vulnerability could allow remote attackers to execute arbitrary code or manipulate the application’s behavior by exploiting unsafe deserialization. This could lead to unauthorized access to sensitive data such as member information, financial records, or internal communications managed by ChurchCRM. The integrity of the application and its data could be compromised, potentially disrupting church operations or community services. Although the CVSS score indicates medium severity, the real-world impact could be significant for organizations relying heavily on ChurchCRM for their daily operations. The lack of vendor response and patches increases the window of exposure. Given the attack complexity is high, widespread exploitation may be limited initially, but skilled attackers could leverage this vulnerability for targeted attacks. The vulnerability’s remote exploitability without authentication makes it a notable risk for exposed ChurchCRM installations.

Organizations should immediately review their ChurchCRM deployments and restrict access to the setup routes, especially the setup.php file, via network controls such as firewalls or web application firewalls (WAFs). Implement input validation and sanitization on the affected parameters (DB_PASSWORD, ROOT_PATH, URL) to prevent malicious serialized data from being processed. If possible, disable or restrict deserialization routines in the application or apply custom patches to sanitize inputs before deserialization. Monitor network traffic and application logs for unusual requests targeting setup.php or attempts to manipulate these parameters. Consider isolating ChurchCRM instances in segmented network zones to limit exposure. Stay alert for official patches or updates from the vendor and apply them promptly once available. In the absence of vendor patches, consider engaging with the ChurchCRM community or security experts to develop interim fixes. Regularly back up ChurchCRM data to enable recovery in case of compromise.