CVE-2025-11939 is a path traversal vulnerability identified in ChurchCRM, an open-source church management software, affecting all versions up to 5.18.0. The vulnerability resides in the Backup Restore Handler component, specifically in the src/ChurchCRM/Backup/RestoreJob.php file. The issue arises from insufficient validation of the 'restoreFile' argument, which an attacker can manipulate to traverse directories and access files outside the intended backup restore scope. This flaw can be exploited remotely but requires the attacker to have high privileges on the system, such as authenticated administrative access, to invoke the vulnerable functionality. The vulnerability could allow unauthorized reading or modification of sensitive files, potentially leading to data leakage or corruption of backup data. The CVSS 4.0 base score is 5.1 (medium severity), reflecting the moderate impact and the requirement for elevated privileges. The vendor was notified early but has not issued a patch or response, and no known exploits have been observed in the wild. This lack of remediation increases the risk for organizations relying on this software for critical data backup and restoration processes.

For European organizations, especially those using ChurchCRM for managing church or community data, this vulnerability poses a risk of unauthorized access to sensitive backup files, potentially exposing personal data or internal records. The path traversal could lead to partial compromise of confidentiality by reading files outside the backup scope, integrity by modifying backup data, and availability if critical backup files are corrupted or deleted. Given the requirement for high privileges, the threat is more significant if internal accounts are compromised or if insider threats exist. The lack of vendor response and patch availability increases the risk exposure. Organizations that rely heavily on ChurchCRM for operational continuity may face disruptions or data breaches, impacting trust and compliance with data protection regulations such as GDPR.

European organizations should immediately audit and restrict access to ChurchCRM administrative interfaces to trusted personnel only, ensuring strong authentication and authorization controls are in place. Input validation should be enforced on the 'restoreFile' parameter to prevent directory traversal sequences (e.g., '..' or absolute paths). Network segmentation and firewall rules should limit remote access to backup restore functionalities. Monitoring and logging of backup restore operations should be enhanced to detect suspicious activities. Where possible, organizations should consider isolating the backup restore process in a sandboxed environment to limit potential damage. Until an official patch is released, organizations might explore applying custom patches or workarounds that sanitize input parameters. Regular backups should be maintained separately to ensure recovery in case of data corruption. Finally, organizations should engage with the ChurchCRM community or maintainers to advocate for a timely fix.