CVE-2026-39340: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in ChurchCRM CRM
A SQL injection vulnerability exists in ChurchCRM versions prior to 7. 1. 0 within the PropertyTypeEditor. php file used for managing property type categories. The issue arises because user input from Name and Description fields is directly concatenated into SQL queries without proper escaping, due to a change from legacyFilterInput() to sanitizeText(). This allows authenticated users with the MenuOptions role, a non-admin staff permission, to perform time-based blind SQL injection and potentially extract sensitive data including password hashes. The vulnerability is fixed in version 7. 1. 0.
AI Analysis
Technical Summary
ChurchCRM versions before 7.1.0 contain a SQL injection vulnerability (CWE-89) in the administration component PropertyTypeEditor.php. The vulnerability was introduced when input sanitization was weakened by replacing legacyFilterInput(), which escaped SQL, with sanitizeText(), which only strips HTML. This improper neutralization of special elements in SQL commands allows authenticated users with limited privileges (MenuOptions role) to inject SQL commands via the Name and Description fields, enabling time-based blind SQL injection attacks to exfiltrate database data such as user password hashes. The vulnerability has a CVSS 3.1 score of 8.1 (high severity) and is resolved in ChurchCRM version 7.1.0.
Potential Impact
Exploitation of this vulnerability allows an authenticated user with the MenuOptions role to perform time-based blind SQL injection attacks. This can lead to unauthorized disclosure of sensitive information from the database, including password hashes of all users. The integrity and availability of the system are not impacted, but confidentiality is severely compromised. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade ChurchCRM to version 7.1.0 or later, where this vulnerability is fixed. Since no official patch or temporary workaround is indicated, applying the official update is the recommended remediation. Users with the MenuOptions role should be aware of this risk until the upgrade is applied.
CVE-2026-39340: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in ChurchCRM CRM
Description
A SQL injection vulnerability exists in ChurchCRM versions prior to 7. 1. 0 within the PropertyTypeEditor. php file used for managing property type categories. The issue arises because user input from Name and Description fields is directly concatenated into SQL queries without proper escaping, due to a change from legacyFilterInput() to sanitizeText(). This allows authenticated users with the MenuOptions role, a non-admin staff permission, to perform time-based blind SQL injection and potentially extract sensitive data including password hashes. The vulnerability is fixed in version 7. 1. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
ChurchCRM versions before 7.1.0 contain a SQL injection vulnerability (CWE-89) in the administration component PropertyTypeEditor.php. The vulnerability was introduced when input sanitization was weakened by replacing legacyFilterInput(), which escaped SQL, with sanitizeText(), which only strips HTML. This improper neutralization of special elements in SQL commands allows authenticated users with limited privileges (MenuOptions role) to inject SQL commands via the Name and Description fields, enabling time-based blind SQL injection attacks to exfiltrate database data such as user password hashes. The vulnerability has a CVSS 3.1 score of 8.1 (high severity) and is resolved in ChurchCRM version 7.1.0.
Potential Impact
Exploitation of this vulnerability allows an authenticated user with the MenuOptions role to perform time-based blind SQL injection attacks. This can lead to unauthorized disclosure of sensitive information from the database, including password hashes of all users. The integrity and availability of the system are not impacted, but confidentiality is severely compromised. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade ChurchCRM to version 7.1.0 or later, where this vulnerability is fixed. Since no official patch or temporary workaround is indicated, applying the official update is the recommended remediation. Users with the MenuOptions role should be aware of this risk until the upgrade is applied.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-06T20:28:38.393Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d549ecaaed68159a473918
Added to database: 4/7/2026, 6:16:12 PM
Last enriched: 4/7/2026, 6:31:41 PM
Last updated: 4/7/2026, 8:58:04 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.