ChurchCRM versions before 7.1.0 contain a SQL injection vulnerability (CWE-89) in PropertyTypeEditor.php. The issue stems from insufficient sanitization of the Name and Description POST parameters, which are only processed with strip_tags() before being concatenated into SQL queries. This allows authenticated users with the "Manage Properties" permission to inject arbitrary SQL commands. The vulnerability can lead to high-impact consequences including unauthorized data access, modification, and deletion. The flaw was addressed and fixed in ChurchCRM version 7.1.0.

Exploitation of this vulnerability allows authenticated users with specific permissions to execute arbitrary SQL commands on the backend database. This can result in unauthorized data disclosure, data corruption, and denial of service through data deletion. Because injected data persists and is reflected in multiple application pages without proper output encoding, it may also facilitate further attacks or data integrity issues. The CVSS score of 8.8 reflects a high severity with network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability.

Upgrade ChurchCRM to version 7.1.0 or later, where this SQL injection vulnerability has been fixed. Since no official patch link or temporary workaround is provided, applying the official update is the recommended remediation. Until the upgrade is applied, restrict the "Manage Properties" permission to trusted users only to minimize risk.