โ† Back to Dashboard

CVE-2026-42289

HIGH NVD
CVSS Score
8.8
Severity
HIGH
Source
NVD
Published
May 12, 2026
Description

ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when visited by an authenticated administrator, silently elevates any low-privilege user to full administrator or creates a new admin backdoor account without the victim's knowledge This vulnerability is fixed in 7.3.2.

View Full Details โ† Back