CVE-2025-11939 is a path traversal vulnerability identified in ChurchCRM, an open-source church management software, affecting versions 5.0 through 5.18.0. The flaw exists in the Backup Restore Handler component, specifically in the file src/ChurchCRM/Backup/RestoreJob.php. The vulnerability arises from improper validation or sanitization of the restoreFile argument, allowing an attacker to manipulate file paths and traverse directories outside the intended scope. This can lead to unauthorized access to files on the server, potentially exposing sensitive data or enabling further attacks. The vulnerability can be exploited remotely without user interaction but requires the attacker to have high privileges on the system, which limits the attack surface. The CVSS 4.0 score is 5.1 (medium), reflecting the moderate impact and exploitation complexity. The vendor was contacted but has not responded, and no patches have been released yet. Public disclosure of the exploit details increases the risk of exploitation by malicious actors. The vulnerability does not require authentication bypass or user interaction, but the need for high privileges means attackers must already have significant access to the system to exploit it.

The primary impact of this vulnerability is unauthorized file access through directory traversal, which can compromise confidentiality by exposing sensitive files such as configuration files, backups, or user data. Integrity could be affected if an attacker uses the vulnerability to overwrite or manipulate files during the restore process. Availability impacts are limited but possible if critical files are altered or deleted. Since exploitation requires high privileges, the threat is mainly to insiders or attackers who have already compromised an account with elevated rights. Organizations using ChurchCRM for managing sensitive church member data, financial records, or communications could face data breaches or operational disruptions. The lack of vendor response and patch availability increases the window of exposure, and public exploit disclosure raises the likelihood of attacks.

1. Restrict access to the Backup Restore Handler functionality to only trusted administrators and limit high-privilege accounts. 2. Implement strict input validation and sanitization on the restoreFile parameter to prevent directory traversal sequences such as '../'. 3. Use web application firewalls (WAFs) to detect and block suspicious path traversal attempts targeting the restoreFile argument. 4. Monitor logs for unusual file access patterns or restore operations that could indicate exploitation attempts. 5. Isolate the ChurchCRM application environment with least privilege principles, ensuring it cannot access sensitive system files outside its scope. 6. Regularly back up data and maintain offline copies to recover from potential data integrity or availability issues. 7. Engage with the ChurchCRM community or maintainers to track patch releases and apply updates promptly once available. 8. Consider temporary disabling or restricting the restore functionality if it is not essential until a patch is released.