ChurchCRM Flaw: Data Deletion Via CSRF

/HIGH
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-352cwe-862
ChurchCRM Flaw: Data Deletion Via CSRF

The National Vulnerability Database (NVD) has detailed CVE-2026-40581, a high-severity vulnerability (CVSS 8.1) affecting ChurchCRM, an open-source church management system. Prior to version 7.2.0, the SelectDelete.php endpoint, responsible for family record deletion, allowed permanent and irreversible data removal through a simple GET request. Critically, this endpoint lacked any CSRF token validation.

This oversight means an attacker could craft a malicious webpage. If an authenticated administrator visits this page, the attacker can silently trigger the deletion of targeted family records. This includes associated notes, pledges, persons, and property data, all without any user interaction. The NVD highlights this as a critical data integrity risk, directly attributable to CWE-352 (Cross-Site Request Forgery) and CWE-862 (Missing Authorization).

For defenders, the implications are straightforward: unauthenticated users cannot directly exploit this, but an authenticated administrator is a single click away from devastating data loss. The NVD confirms the issue is resolved in ChurchCRM version 7.2.0. Organizations utilizing ChurchCRM must prioritize upgrading to mitigate this significant risk to their data integrity.

What This Means For You

  • If your organization uses ChurchCRM, you must immediately verify your deployed version. If it's prior to 7.2.0, patch to version 7.2.0 or later RIGHT NOW. This isn't theoretical; an attacker can wipe entire family records and associated sensitive data with minimal effort if an admin clicks a malicious link.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1485 Data Destruction Impact T1531 Account Access Removal Impact

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

ChurchCRM Family Record Deletion via CSRF - CVE-2026-40581

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Export via Bot →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40581 CSRF ChurchCRM versions prior to 7.2.0
CVE-2026-40581 CSRF ChurchCRM endpoint: SelectDelete.php
CVE-2026-40581 CSRF Deletion of family records via GET request without CSRF token validation

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 18, 2026 at 03:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

CVE-2026-40490 — Open Redirect

CVE-2026-40490 — The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)),...

vulnerabilityCVEmedium-severityopen-redirectcwe-200
/SCW Vulnerability Desk /MEDIUM /⚑ 2 IOCs /⚙ 3 Sigma

Postiz AI Tool Vulnerability Allows Account Takeover via XSS

CVE-2026-40487 — Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload...

vulnerabilityCVEhigh-severitycross-site-scripting-xsscwe-79cwe-345cwe-434
/SCW Vulnerability Desk /HIGH /⚑ 5 IOCs /⚙ 7 Sigma

Emissary Workflow Engine Vulnerable to OS Command Injection

CVE-2026-35582 — Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates...

vulnerabilityCVEhigh-severitycommand-injectioncwe-78cwe-116
/SCW Vulnerability Desk /HIGH /⚑ 3 IOCs /⚙ 2 Sigma