ChurchCRM CVE-2026-42289: CSRF Allows Admin Account Creation

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-269cwe-306cwe-352
ChurchCRM CVE-2026-42289: CSRF Allows Admin Account Creation

The National Vulnerability Database has detailed CVE-2026-42289, a critical Cross-Site Request Forgery (CSRF) vulnerability in ChurchCRM, an open-source church management system. Prior to version 7.3.2, the UserEditor.php component lacked CSRF token validation, processing user account creation and permission updates solely through $_POST parameters. This is a fundamental security oversight.

An unauthenticated attacker can exploit this by crafting a malicious HTML page. If an authenticated administrator visits this page, the attacker can silently elevate any low-privilege user to full administrator status or create a new backdoor administrator account. The victim administrator would have no indication of the compromise. This vulnerability carries a CVSS score of 8.8 (HIGH), reflecting its severe impact on confidentiality, integrity, and availability.

This isn’t just a theoretical flaw; it’s a direct route to full system compromise. Any organization using ChurchCRM versions prior to 7.3.2 is exposed to complete administrative takeover. The fix, implemented in version 7.3.2, addresses the missing CSRF token validation, but the onus is on defenders to apply the update immediately.

What This Means For You

  • If your organization uses ChurchCRM, you need to check your version immediately. Patch to 7.3.2 or later to mitigate CVE-2026-42289. Beyond patching, audit your user accounts for any unauthorized administrators or elevated privileges that may have been created before the patch. This vulnerability allows for silent, complete administrative compromise.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.002 Valid Accounts: Account Manipulation Privilege Escalation T1531 Account Access Removal Defense Evasion

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

ChurchCRM CVE-2026-42289: CSRF Admin Account Creation via UserEditor.php

Sigma YAML — free preview 
title: ChurchCRM CVE-2026-42289: CSRF Admin Account Creation via UserEditor.php
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
  Detects the specific CSRF exploit for ChurchCRM CVE-2026-42289. This rule looks for POST requests to UserEditor.php with parameters indicative of creating or modifying a user to administrator role without proper CSRF token validation. This allows an unauthenticated attacker to create a backdoor admin account when an authenticated administrator visits a malicious page.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42289/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      uri|endswith:
          - '/UserEditor.php'
      cs-method:
          - 'POST'
      cs-uri-query|contains:
          - 'action=save'
      cs-uri-query|contains:
          - 'role=Administrator'
      cs-uri-query|contains:
          - 'roleID=1'
      cs-uri-query|contains:
          - 'user_id=' 
      condition: uri AND cs-method AND cs-uri-query
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42289 CSRF ChurchCRM < 7.3.2
CVE-2026-42289 Privilege Escalation ChurchCRM < 7.3.2
CVE-2026-42289 Auth Bypass ChurchCRM UserEditor.php lacks CSRF token validation

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 02:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Fuji Tellus Driver Grants All Users Kernel R/W: CVE-2026-8108

CVE-2026-8108 — The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.

vulnerabilityCVEhigh-severitycwe-749
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 2 IOCs /⚙ 3 Sigma

MonsterInsights WordPress Plugin Exposes Google OAuth Tokens

CVE-2026-5371 — The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 4 IOCs /⚙ 3 Sigma

ChurchCRM CVE-2026-44548: High-Severity CSRF Allows Silent Record Deletion

CVE-2026-44548 — ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php...

vulnerabilityCVEhigh-severitycwe-352cwe-650
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 3 Sigma