Main
Vulnerability Database
Exploits
ID:12563 - Exploit for Code Injection in ChurchCRM - CVE-2025-62521
ID:12563 - Exploit for Code Injection in ChurchCRM - CVE-2025-62521
Published: April 9, 2026
Vulnerability identifier: #VU125687
Vulnerability risk: High
CVE-ID: CVE-2025-62521
CWE-ID: CWE-94
Exploitation vector: Remote access
Vulnerable software:
ChurchCRM
ChurchCRM
Link to public exploit:
Vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper control of code generation in setup/routes/setup.php when processing setup form input during the initial installation process. A remote attacker can submit specially crafted setup parameters to execute arbitrary code.
The issue affects fresh installations exposed through the unauthenticated setup wizard, and injected PHP code is written to Include/Config.php where it executes on subsequent page loads.
Remediation
Install security update from vendor's website.