External risk intelligence

ChurchCRM Plugin Upload RCE via Malicious PHP Webshells

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-58409

ChurchCRM is a web-based management application. While such applications are often deployed internally, they can be configured as internet-facing portals for administrative access. The requirement for administrator authentication makes public internet exposure common enough to be considered a possible attack vector, though it is not inherently designed as a public-facing edge service.

Unrestricted File Upload

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

An authenticated administrator can execute malicious code on the server by uploading a specially crafted plugin to the ChurchCRM management system. This vulnerability stems from how the system handles file extensions during plugin installation, allowing direct execution of PHP files placed in the web root.

  • Malicious plugins can run unauthorized code on servers.
  • Protects sensitive church and member information.
  • Confirm system relevance and scan for unauthorized plugins.

Attack Path

How an attacker could exploit the issue

An attacker with administrator access could upload a specially crafted ZIP archive containing a PHP webshell. This archive, sourced from an attacker-controlled URL, would be installed as a plugin. Because the application allows PHP files within plugins and places them directly in the web root, the webshell becomes executable without further interaction, potentially leading to server compromise.

  • Administrator authentication required.
  • Install malicious plugin via URL.
  • Leads to remote code execution.

Live Threat

Current exploitation, exposure, and threat context

An authenticated administrator could execute arbitrary PHP code on the server by uploading a specially crafted plugin. This occurs because the system allows PHP files within plugin archives and places them directly in the web root, making them executable. The installation process can also fetch malicious archives from external URLs.

  • Server-side code execution.
  • Uploading malicious ZIP archives.
  • Complete server compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in ChurchCRM, allowing remote code execution via malicious plugin installation, likely falls under the responsibility of application owners and infrastructure teams responsible for the deployment. The first crucial step is to inventory all ChurchCRM instances, verify administrative access, and assess business criticality to prioritize remediation efforts.

  • Application owners and infrastructure teams.
  • Confirm all ChurchCRM instances and admin access.
  • Plan remediation based on business risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is ChurchCRM?

ChurchCRM is an open-source software platform designed to help religious organizations manage their membership, contributions, and internal administrative tasks. It provides a centralized web-based interface for tracking sensitive organizational data.

What does CWE-434 mean for CVE-2026-58409?

This vulnerability is classified as CWE-434, which refers to Unrestricted Upload of File with Dangerous Type. In this case, the system fails to block PHP files in plugin uploads and places them where they can be executed by the web server, allowing an attacker to run unauthorized code.

How does the malicious plugin trigger this vulnerability?

An administrator must install a specially crafted ZIP archive from a remote URL. The system does not require the plugin to be activated through the user interface; simply uploading the file causes the server to extract PHP files into the web root, where they become immediately executable.

Who should care about this security issue?

Anyone running ChurchCRM should be aware of this risk. According to Halo Surface Signal, while these systems are often used internally, they are frequently configured as internet-facing portals to allow remote administration, making them potential targets if unauthorized users gain administrator access.

What should I do if I use ChurchCRM?

Start by identifying all deployed instances of the software and confirming who has administrator access. Ensure your organization is updated to version 7.4.0 or later, which includes the fix to properly restrict plugin file types and prevent unauthorized code execution.

References