ChurchCRM SQL injection (CVE-2025-68112): patch now or prepare to explain to the board

SQL injection in ChurchCRM’s Event Attendee Editor: authenticated users can pull the strings — and your database — unless you patch to 6.5.3

Twelve hours ago a serious vulnerability was disclosed in ChurchCRM: CVE-2025-68112. In versions prior to 6.5.3 the Event Attendee Editor contains a SQL injection flaw that allows an authenticated user to execute arbitrary SQL commands. The vendor’s fix is in version 6.5.3 — if you run ChurchCRM, updating is not optional theatre, it’s triage.

What happened (short, factual recap)

The advisory states that the vulnerable Event Attendee Editor permits an authenticated user to inject SQL, which can lead to complete database compromise. Successful exploitation can allow attackers to extract sensitive member data, authentication credentials and financial information, and may result in administrative credential theft and system takeover. The issue was published about twelve hours ago and a patch is available in ChurchCRM 6.5.3.

Why this should keep boards and data owners awake

This isn’t an abstract developer problem — it’s a business-risk problem. Organisations that use ChurchCRM often hold personally identifiable data, donation records and operational details about events and attendees. If that data is extracted or altered, the immediate consequences include regulatory exposure under data-protection laws, direct financial loss, the cost of incident response and forensic work, and reputational damage among donors, partners and communities.

Operationally, a compromised database or stolen admin credentials can mean weeks of downtime while you cleanse systems, rotate credentials and rebuild trust. That’s time senior leaders spend on crisis calls instead of strategy, and it’s money haemorrhaging faster than an unpatched plugin.

How this kind of weakness gets exploited — and avoided

SQL injection is a classic web-application vulnerability: insufficient input validation or unsafe query construction lets crafted input become executable commands. In practice that can allow an attacker to read or modify tables, add admin accounts, or execute privileged operations via the database backend.

If you ignore these weaknesses, realistic scenarios include quietly exfiltrated member lists sold on to fraudsters, donation records tampered with to hide diversion, or attackers creating backdoor admin accounts and lying low until they monetise access. Treat untested backups like a parachute you’ve never opened: they look comforting until you actually need them.

What good information security and resilience would have done here

An ISO 27001 information security management system helps organisations systematically identify, assess and treat vulnerabilities like this one. Controls that would reduce likelihood or impact include formal third‑party and open‑source software risk assessments, a robust vulnerability management process, application-level threat modelling, and enforced least privilege for user roles within applications.

Concurrently, an ISO 22301 business continuity management system ensures critical services keep running or are restored in a controlled way when compromises happen — so your events bookings and donor-facing functions keep operating while you remediate.

Practical baseline measures such as Cyber Essentials and IASME reduce simple, high-impact exposures, while targeted developer training and secure coding practices (including parameterised queries and prepared statements) prevent SQL injection at the source. If social engineering or weak credential hygiene is part of the story, security awareness training helps reduce the chance an attacker wins an initial foothold.

Technical controls that lessen the blow

• Apply the vendor patch immediately — upgrade to ChurchCRM 6.5.3.
• Restrict application privileges so editing attendee lists is limited to trusted roles; review role definitions and harden permissions.
• Use Web Application Firewalls and runtime protection as compensating controls while you patch.
• Scan web apps regularly with authenticated dynamic testing and include dependency scanning in CI/CD pipelines.
• Enforce multi‑factor authentication and rotate credentials for any administrative accounts exposed to the application.

Incident preparedness — because prevention is not a binary switch

Assume some vulnerabilities will slip through. Have an incident response plan that includes quick containment steps, forensic capture, credential resets, and communication templates for stakeholders and regulators. Regular tabletop exercises and an up-to-date inventory of where your sensitive data lives will shave days off recovery time.

Synergos’s ongoing support packages and advisory help with vendor vulnerability management, patch prioritisation and tested incident playbooks so you’re not inventing processes amid the panic.

Steps you can take this afternoon

Short checklist: check whether you run ChurchCRM and identify version numbers; if you’re on a pre-6.5.3 release, schedule an immediate patch and test it in a staging environment; review which users have the permissions required to edit attendees and tighten them; verify backups are intact and restorations tested; and run a vulnerability scan against your instance.

A final nudge (gentle, but firm)

This advisory is a reminder that community and niche systems — often run by small teams with limited security resources — are high‑value targets because they hold rich, targeted data. Patching and basic hygiene aren’t glamorous, but they are effective. If your organisation relies on third‑party or open‑source tools, treat that reliance like any other supplier relationship: inventory, risk‑assess, test and be ready to act.

If you want help turning this into concrete, testable actions for your organisation — from faster patch cycles and role reviews to a business‑focused ISO 27001 roadmap or a practical ISO 22301 continuity plan — there are straightforward steps you can take without involving a miracle or a new hire.