CVE-2026-40484: CWE-269: Improper Privilege Management in ChurchCRM CRM
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory(), which performs no file extension filtering. An authenticated administrator can upload a crafted backup archive containing a PHP webshell inside the Images/ directory, which is then written to a publicly accessible path and executable via HTTP requests, resulting in remote code execution as the web server user. The restore endpoint also lacks CSRF token validation, enabling exploitation through cross-site request forgery targeting an authenticated administrator. This issue has been fixed in version 7.2.0.
AI Analysis
Technical Summary
CVE-2026-40484 affects ChurchCRM CRM versions before 7.2.0. The vulnerability arises because the restore functionality extracts uploaded backup archives and copies files from the Images/ directory into the web root using a recursive copy method that does not filter file extensions. An authenticated administrator can exploit this by uploading a backup archive containing a PHP webshell, which becomes publicly accessible and executable via HTTP, resulting in remote code execution with web server privileges. The restore endpoint also lacks CSRF protection, allowing attackers to trigger the restore action via cross-site request forgery against authenticated admins. The issue is resolved in ChurchCRM version 7.2.0.
Potential Impact
Successful exploitation allows an authenticated administrator to achieve remote code execution on the web server, potentially compromising the entire system. The lack of CSRF protection further lowers the attack complexity by enabling attackers to coerce administrators into executing the malicious restore action. This can lead to full system compromise, data theft, or service disruption.
Mitigation Recommendations
Upgrade ChurchCRM to version 7.2.0 or later, where this vulnerability is fixed. Until then, restrict administrative access to trusted users only and avoid restoring backups from untrusted sources. Note that no official patch link or advisory was provided, so verify the upgrade path with the ChurchCRM project directly.
CVE-2026-40484: CWE-269: Improper Privilege Management in ChurchCRM CRM
Description
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory(), which performs no file extension filtering. An authenticated administrator can upload a crafted backup archive containing a PHP webshell inside the Images/ directory, which is then written to a publicly accessible path and executable via HTTP requests, resulting in remote code execution as the web server user. The restore endpoint also lacks CSRF token validation, enabling exploitation through cross-site request forgery targeting an authenticated administrator. This issue has been fixed in version 7.2.0.
CVSS v3.1
Score 9.1critical
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-40484 affects ChurchCRM CRM versions before 7.2.0. The vulnerability arises because the restore functionality extracts uploaded backup archives and copies files from the Images/ directory into the web root using a recursive copy method that does not filter file extensions. An authenticated administrator can exploit this by uploading a backup archive containing a PHP webshell, which becomes publicly accessible and executable via HTTP, resulting in remote code execution with web server privileges. The restore endpoint also lacks CSRF protection, allowing attackers to trigger the restore action via cross-site request forgery against authenticated admins. The issue is resolved in ChurchCRM version 7.2.0.
Potential Impact
Successful exploitation allows an authenticated administrator to achieve remote code execution on the web server, potentially compromising the entire system. The lack of CSRF protection further lowers the attack complexity by enabling attackers to coerce administrators into executing the malicious restore action. This can lead to full system compromise, data theft, or service disruption.
Mitigation Recommendations
Upgrade ChurchCRM to version 7.2.0 or later, where this vulnerability is fixed. Until then, restrict administrative access to trusted users only and avoid restoring backups from untrusted sources. Note that no official patch link or advisory was provided, so verify the upgrade path with the ChurchCRM project directly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-13T19:50:42.114Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e2c47fbdfbbecc59a12f99
Added to database: 4/17/2026, 11:38:39 PM
Last enriched: 4/25/2026, 2:56:49 AM
Last updated: 6/1/2026, 11:52:08 PM
Views: 1376
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.