📧 info@ciso.sa | 📱 +966550939344 | Riyadh, Kingdom of Saudi Arabia
About FAQ Contact Us Terms of Service Privacy Policy 🌐 العربية
🔐

Welcome — Sign in or create an account for full access.

🔑 Sign In ✨ Register
🌐 العربية Sign In Create Account
🔧 Scheduled Maintenance — Saturday 2:00-4:00 AM AST. Some features may be temporarily unavailable.    ●   
💎
Pro Plan 50% Off Unlock all AI features, unlimited reports, and priority support. Upgrade
Search Center
ESC to close
navigate open Ctrl+K search
CISO Consulting
Global insider Education HIGH 4h Global supply_chain Software Development and Technology HIGH 9h Global apt Government/Critical Infrastructure CRITICAL 11h Global vulnerability Enterprise Software / Data Analytics CRITICAL 12h Global vulnerability Artificial Intelligence and Technology HIGH 15h Global general Technology and Artificial Intelligence MEDIUM 19h Global general Technology and Artificial Intelligence HIGH 20h Global vulnerability Higher Education CRITICAL 1d Global data_breach Government HIGH 1d Global supply_chain Software Development and Open Source Communities CRITICAL 1d Global insider Education HIGH 4h Global supply_chain Software Development and Technology HIGH 9h Global apt Government/Critical Infrastructure CRITICAL 11h Global vulnerability Enterprise Software / Data Analytics CRITICAL 12h Global vulnerability Artificial Intelligence and Technology HIGH 15h Global general Technology and Artificial Intelligence MEDIUM 19h Global general Technology and Artificial Intelligence HIGH 20h Global vulnerability Higher Education CRITICAL 1d Global data_breach Government HIGH 1d Global supply_chain Software Development and Open Source Communities CRITICAL 1d Global insider Education HIGH 4h Global supply_chain Software Development and Technology HIGH 9h Global apt Government/Critical Infrastructure CRITICAL 11h Global vulnerability Enterprise Software / Data Analytics CRITICAL 12h Global vulnerability Artificial Intelligence and Technology HIGH 15h Global general Technology and Artificial Intelligence MEDIUM 19h Global general Technology and Artificial Intelligence HIGH 20h Global vulnerability Higher Education CRITICAL 1d Global data_breach Government HIGH 1d Global supply_chain Software Development and Open Source Communities CRITICAL 1d
Vulnerabilities

CVE-2026-39342

High ⚡ Exploit Available
CWE-89 — Weakness Type
Published: Apr 7, 2026  ·  Modified: Apr 14, 2026  ·  Source: NVD
CVSS v3
8.8
🔗 NVD Official
📄 Description (English)

ChurchCRM is an open-source church management system. Prior to 7.1.0, the searchwhat parameter via QueryView.php with the QueryID=15 is vulnerable to a SQL injection. The authenticated user requires access to Data/Reports > Query Menu and access to the "Advanced Search" query. This vulnerability is fixed in 7.1.0.

🤖 AI Executive Summary

ChurchCRM versions prior to 7.1.0 contain an authenticated SQL injection vulnerability in the QueryView.php searchwhat parameter (QueryID=15) that allows attackers with Data/Reports access to execute arbitrary SQL commands. With a CVSS score of 8.8 and publicly available exploits, this poses a significant risk to organizations using ChurchCRM for administrative functions. Immediate patching to version 7.1.0 or later is critical to prevent unauthorized data access and manipulation.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 09:42
🇸🇦 Saudi Arabia Impact Assessment
While ChurchCRM is primarily used by religious institutions, Saudi organizations operating churches, interfaith centers, or using this system for administrative purposes face direct risk. Secondary impact affects government entities and NGOs that may use ChurchCRM for community management. The vulnerability allows authenticated users with limited privileges to escalate access and exfiltrate sensitive organizational data including member information, financial records, and administrative details. Organizations in the non-profit and religious services sectors are most vulnerable.
🏢 Affected Saudi Sectors
Religious Institutions Non-Profit Organizations Government (Community Services) Healthcare (Chaplaincy Services) Education (Religious Studies)
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:

1. Identify all ChurchCRM installations in your environment and document current versions

2. Restrict access to Data/Reports > Query Menu and Advanced Search functionality to only essential administrators

3. Implement database activity monitoring (DAM) to detect suspicious SQL queries

4. Review access logs for QueryView.php with QueryID=15 parameters for suspicious activity



PATCHING:

1. Upgrade ChurchCRM to version 7.1.0 or later immediately

2. Test patches in a non-production environment before deployment

3. Verify patch application by checking version numbers post-deployment



COMPENSATING CONTROLS (if patching delayed):

1. Implement Web Application Firewall (WAF) rules to block SQL injection patterns in searchwhat parameter

2. Apply principle of least privilege - remove unnecessary Data/Reports access from user accounts

3. Enable SQL query logging and alerting for unusual patterns

4. Implement network segmentation to isolate ChurchCRM database access



DETECTION:

1. Monitor for HTTP requests containing SQL keywords (UNION, SELECT, DROP, INSERT) in searchwhat parameter

2. Alert on QueryView.php requests with QueryID=15 from non-administrative accounts

3. Track database connections showing unusual query patterns or multiple failed authentication attempts

4. Log all access to Data/Reports menu with timestamp and user identity
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:

1. حدد جميع تثبيتات ChurchCRM في بيئتك وقم بتوثيق الإصدارات الحالية

2. قيد الوصول إلى Data/Reports > Query Menu والبحث المتقدم للمسؤولين الأساسيين فقط

3. طبق مراقبة نشاط قاعدة البيانات (DAM) للكشف عن استعلامات SQL المريبة

4. راجع سجلات الوصول لـ QueryView.php مع معاملات QueryID=15 للنشاط المريب



التصحيح:

1. قم بترقية ChurchCRM إلى الإصدار 7.1.0 أو أحدث فوراً

2. اختبر التصحيحات في بيئة غير إنتاجية قبل النشر

3. تحقق من تطبيق التصحيح بفحص أرقام الإصدارات بعد النشر



الضوابط البديلة (إذا تأخر التصحيح):

1. طبق قواعد جدار حماية تطبيقات الويب (WAF) لحجب أنماط حقن SQL في معامل searchwhat

2. طبق مبدأ الحد الأدنى من الامتيازات - أزل الوصول غير الضروري إلى Data/Reports من حسابات المستخدمين

3. فعّل تسجيل الاستعلامات وتنبيهات SQL للأنماط غير العادية

4. طبق تقسيم الشبكة لعزل وصول قاعدة بيانات ChurchCRM



الكشف:

1. راقب طلبات HTTP التي تحتوي على كلمات مفتاحية SQL (UNION, SELECT, DROP, INSERT) في معامل searchwhat

2. أصدر تنبيهات لطلبات QueryView.php مع QueryID=15 من حسابات غير إدارية

3. تتبع اتصالات قاعدة البيانات التي تظهر أنماط استعلام غير عادية أو محاولات مصادقة فاشلة متعددة

4. سجل جميع الوصول إلى قائمة Data/Reports مع الطابع الزمني وهوية المستخدم
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
5.1.1 - Access Control and Authentication 5.2.1 - Data Protection and Encryption 5.3.1 - Vulnerability Management 5.4.1 - Incident Detection and Response
🔵 SAMA CSF
Identify - Asset Management (ID.AM) Protect - Access Control (PR.AC) Protect - Data Security (PR.DS) Detect - Anomalies and Events (DE.AE) Respond - Response Planning (RS.RP)
🟡 ISO 27001:2022
A.5.2 - Information Security Policies A.6.1 - Internal Organization A.8.1 - Asset Management A.9.1 - Access Control A.12.2 - Cryptography A.12.6 - Management of Technical Vulnerabilities A.14.2 - Development Security
🟣 PCI DSS v4.0.1
Requirement 1 - Firewall Configuration Requirement 6 - Secure Development and Vulnerability Management Requirement 6.2 - Security Patches Requirement 6.5.1 - Injection Flaws
📦 Affected Products / CPE 1 entries
churchcrm:churchcrm
📊 CVSS Score
8.8
/ 10.0 — High
📊 CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack VectorN — None / Network
Attack ComplexityL — Low / Local
Privileges RequiredL — Low / Local
User InteractionN — None / Network
ScopeU — Unchanged
ConfidentialityH — High
IntegrityH — High
AvailabilityH — High
📋 Quick Facts
Severity High
CVSS Score8.8
CWECWE-89
EPSS0.03%
Exploit ✓ Yes
Patch ✗ No
Published 2026-04-07
Source Feed nvd
Views 4
🇸🇦 Saudi Risk Score
7.8
/ 10.0 — Saudi Risk
Priority: HIGH
🏷️ Tags
exploit-available CWE-89
🏢 Vendor Advisories
🔗 https://github.com/ChurchCRM/CRM/security/advisories...
⚡ Actions
🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details
Share this CVE
LinkedIn X / Twitter WhatsApp Telegram

💬 Comments

0
Loading comments
📣 Found this valuable?
Share it with your cybersecurity network
in LinkedIn 𝕏 X / Twitter 💬 WhatsApp ✈ Telegram
🍪 Privacy Preferences
CISO Consulting — Compliant with Saudi Personal Data Protection Law (PDPL)
We use cookies and similar technologies to provide the best experience on our platform. You can choose which types you accept.
🔒
Essential Always On
Required for the website to function properly. Cannot be disabled.
📋 Sessions, CSRF tokens, authentication, language preferences
📊
Analytics
Help us understand how visitors use the site and improve performance.
📋 Page views, session duration, traffic sources, performance metrics
⚙️
Functional
Enable enhanced features like content personalization and preferences.
📋 Dark/light theme, font size, custom dashboards, saved filters
📣
Marketing
Used to deliver content and ads relevant to your interests.
📋 Campaign tracking, retargeting, social media analytics
Privacy Policy →
CISO AI Assistant
Ask anything · Documents · Support
🔐

Introduce Yourself

Enter your details to access the full assistant

Your info is private and never shared
💬
CyberAssist
Online · responds in seconds
5 / 5
🔐 Verify Your Identity

Enter your email to receive a verification code before submitting a support request.

Enter to send · / for commands 0 / 2000
CISO AI · Powered by Anthropic Claude
✦ Quick Survey Help Us Improve CISO Consulting Your feedback shapes the future of our platform — takes less than 2 minutes.
⚠ Please answer this question to continue

How would you rate your overall experience with our platform?

Rate from 1 (poor) to 5 (excellent)

🎉
Thank you!
Your response has been recorded.