ChurchCRM versions before 7.1.0 contain an SQL injection vulnerability (CWE-89) in the /SettingsIndividual.php endpoint. The flaw allows authenticated users with limited privileges to inject SQL statements through the type array parameter's index, enabling unauthorized data extraction and modification. The vulnerability was addressed and fixed in ChurchCRM version 7.1.0. The CVSS 3.1 base score is 8.8, reflecting network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability.

Exploitation of this vulnerability allows an authenticated user without specific privileges to execute arbitrary SQL commands on the backend database. This can lead to unauthorized disclosure, modification, or deletion of sensitive data, severely impacting the confidentiality, integrity, and availability of the affected system.

Upgrade ChurchCRM to version 7.1.0 or later, where this SQL injection vulnerability has been fixed. No other official remediation or temporary fixes are documented. Patch status is confirmed by the vendor's versioning information.