CVE-2025-11939 is a path traversal vulnerability identified in ChurchCRM, an open-source church management software, affecting all versions up to 5.18.0. The flaw exists in the Backup Restore Handler component, specifically in the file src/ChurchCRM/Backup/RestoreJob.php. The vulnerability arises from improper validation or sanitization of the restoreFile argument, which an attacker with high privileges can manipulate to traverse directories and access files outside the intended directory scope. This can lead to unauthorized reading or potentially overwriting of sensitive files on the server hosting ChurchCRM. The attack vector is remote network access, and no user interaction is required once the attacker has authenticated with sufficient privileges. The CVSS 4.0 vector indicates no user interaction (UI:N), no privileges required (PR:H - high privileges required), low complexity (AC:L), and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The vulnerability was publicly disclosed on October 19, 2025, but the vendor has not responded or issued patches. No known exploits in the wild have been reported yet, but public disclosure increases the risk of exploitation attempts. The lack of vendor response and patch availability increases the urgency for organizations to implement compensating controls. The vulnerability could allow attackers to access sensitive configuration files, backups, or other critical data, potentially leading to data leakage, service disruption, or further compromise.

For European organizations using ChurchCRM, this vulnerability poses a risk of unauthorized access to sensitive data stored on the server, including backups and configuration files. This could lead to breaches of confidentiality, especially if personal data of church members or donors is exposed, potentially violating GDPR requirements. Integrity of data could be compromised if attackers overwrite or manipulate backup files, affecting the reliability of restoration processes. Availability might be impacted if critical files are deleted or corrupted, disrupting church operations or community services. Given that ChurchCRM is often used by religious and community organizations, the impact extends beyond IT systems to organizational trust and reputation. The medium CVSS score reflects moderate risk, but the lack of vendor patches and public exploit disclosure increases the urgency. European organizations with limited IT security resources may be particularly vulnerable. Additionally, the requirement for high privileges means that insider threats or compromised administrative accounts could be leveraged to exploit this vulnerability.

Since no official patches are available, European organizations should implement the following mitigations: 1) Restrict access to the Backup Restore Handler functionality strictly to trusted administrators and limit the number of users with high privileges. 2) Implement strict input validation and sanitization at the application or web server level, if possible, to detect and block path traversal patterns in the restoreFile argument. 3) Monitor application and server logs for unusual access patterns or attempts to manipulate file paths related to backups. 4) Isolate the ChurchCRM application environment using containerization or virtual machines to limit the impact of potential exploitation. 5) Regularly back up data and verify backup integrity to ensure recovery capability if backups are corrupted. 6) Employ web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the restoreFile parameter. 7) Engage with the ChurchCRM community or security forums for updates or unofficial patches. 8) Consider temporarily disabling the restore functionality if it is not essential until a patch is available. 9) Conduct regular security audits and penetration testing focused on backup and restore functionalities.