ChurchCRM, an open-source church management system, has a SQL injection vulnerability (CWE-89) in versions before 7.1.0. The vulnerability is located in PropertyTypeEditor.php, where user-supplied values from the Name and Description fields are directly concatenated into raw SQL INSERT and UPDATE statements without proper escaping. This regression occurred when the legacyFilterInput() function, which both stripped HTML and escaped SQL, was replaced by sanitizeText(), which only strips HTML. Authenticated users with the MenuOptions role, a non-admin staff permission, can exploit this flaw to perform time-based blind SQL injection attacks and exfiltrate any data from the database, including password hashes. The vulnerability is addressed by updating to ChurchCRM version 7.1.0.

An attacker with authenticated access and the MenuOptions role can exploit this vulnerability to perform time-based blind SQL injection, potentially extracting any data from the database, including sensitive information such as password hashes. This compromises confidentiality and integrity of the data but does not affect availability. The CVSS v3.1 score is 8.1 (High), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and high impact on confidentiality and integrity.

This vulnerability is fixed in ChurchCRM version 7.1.0. Users should upgrade to version 7.1.0 or later to remediate this issue. There is no official patch link provided, but the vendor advisory confirms the fix in 7.1.0. Until upgraded, restrict access to users with the MenuOptions role and consider additional monitoring. Patch status is not explicitly confirmed beyond the version update, so verify with the vendor advisory for the latest remediation guidance.