CVE-2026-42289

Published: May 12, 2026Modified: May 14, 2026Deferred

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: security-advisories@github.com (Secondary)

Description

ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when visited by an authenticated administrator, silently elevates any low-privilege user to full administrator or creates a new admin backdoor account without the victim's knowledge This vulnerability is fixed in 7.3.2.

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-3xq9-c86x-cwpp

Source: security-advisories@github.com

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-3xq9-c86x-cwpp

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.