Horizon Alert
Summary of the vulnerability and why it matters
An authenticated administrator can execute malicious code on the server by uploading a specially crafted plugin to the ChurchCRM management system. This vulnerability stems from how the system handles file extensions during plugin installation, allowing direct execution of PHP files placed in the web root.
- Malicious plugins can run unauthorized code on servers.
- Protects sensitive church and member information.
- Confirm system relevance and scan for unauthorized plugins.
Attack Path
How an attacker could exploit the issue
An attacker with administrator access could upload a specially crafted ZIP archive containing a PHP webshell. This archive, sourced from an attacker-controlled URL, would be installed as a plugin. Because the application allows PHP files within plugins and places them directly in the web root, the webshell becomes executable without further interaction, potentially leading to server compromise.
- Administrator authentication required.
- Install malicious plugin via URL.
- Leads to remote code execution.
Live Threat
Current exploitation, exposure, and threat context
An authenticated administrator could execute arbitrary PHP code on the server by uploading a specially crafted plugin. This occurs because the system allows PHP files within plugin archives and places them directly in the web root, making them executable. The installation process can also fetch malicious archives from external URLs.
- Server-side code execution.
- Uploading malicious ZIP archives.
- Complete server compromise.
Operational Fix
Recommended remediation, mitigation, and detection steps
This critical vulnerability in ChurchCRM, allowing remote code execution via malicious plugin installation, likely falls under the responsibility of application owners and infrastructure teams responsible for the deployment. The first crucial step is to inventory all ChurchCRM instances, verify administrative access, and assess business criticality to prioritize remediation efforts.
- Application owners and infrastructure teams.
- Confirm all ChurchCRM instances and admin access.
- Plan remediation based on business risk.