ChurchCRM CVE-2026-44548: High-Severity CSRF Allows Silent Record Deletion

/HIGH /CVSS 8.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-352cwe-650
ChurchCRM CVE-2026-44548: High-Severity CSRF Allows Silent Record Deletion

The National Vulnerability Database (NVD) has detailed CVE-2026-44548, a high-severity Cross-Site Request Forgery (CSRF) vulnerability affecting ChurchCRM, an open-source church management system. Prior to version 7.3.2, this flaw allows an attacker to craft a malicious page that, when visited by a logged-in ChurchCRM user, silently triggers the deletion of critical records.

The vulnerability specifically targets FundRaiserDelete.php, PropertyTypeDelete.php, and NoteDelete.php. A user with the relevant role, simply by navigating from an attacker-controlled page, could inadvertently delete records. This includes not just the primary records but also any cascaded property and record-to-property assignments, leading to significant data loss without user interaction or consent. The NVD assigned a CVSS score of 8.1 (HIGH), underscoring the severity.

This isn’t just about deleting a single entry; the cascaded deletion means an attacker could wipe out entire categories of data, crippling administrative functions. The attacker’s calculus here is simple: leverage a user’s existing authenticated session to perform unauthorized actions. It’s a classic CSRF scenario, but the impact of silent, irreversible deletion is substantial for any organization relying on this system.

What This Means For You

  • If your organization uses ChurchCRM, you are directly exposed to unauthenticated data deletion. This isn't a theoretical risk; an attacker can exploit this with a simple link. Immediately verify your ChurchCRM version. If it's prior to 7.3.2, you must upgrade to 7.3.2 or later without delay to mitigate this high-severity CSRF vulnerability.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1485 Data Destruction Impact

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

ChurchCRM CVE-2026-44548: Cross-Site Request Forgery for Record Deletion (Free Tier)

Sigma YAML — free preview 
title: ChurchCRM CVE-2026-44548: Cross-Site Request Forgery for Record Deletion (Free Tier)
id: scw-2026-05-12-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit ChurchCRM CVE-2026-44548 by triggering GET requests to specific delete endpoints (FundRaiserDelete.php, PropertyTypeDelete.php, NoteDelete.php). This indicates a potential Cross-Site Request Forgery (CSRF) attack aiming for silent record deletion by an authenticated user.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44548/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|endswith:
          - 'FundRaiserDelete.php'
          - 'PropertyTypeDelete.php'
          - 'NoteDelete.php'
      cs-method:
          - 'GET'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44548 CSRF ChurchCRM < 7.3.2
CVE-2026-44548 CSRF Vulnerable endpoint: FundRaiserDelete.php
CVE-2026-44548 CSRF Vulnerable endpoint: PropertyTypeDelete.php
CVE-2026-44548 CSRF Vulnerable endpoint: NoteDelete.php

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 02:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Fuji Tellus Driver Grants All Users Kernel R/W: CVE-2026-8108

CVE-2026-8108 — The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.

vulnerabilityCVEhigh-severitycwe-749
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 2 IOCs /⚙ 3 Sigma

MonsterInsights WordPress Plugin Exposes Google OAuth Tokens

CVE-2026-5371 — The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-44547: ChurchCRM Critical Vulnerability Persists in 7.2.x Releases

CVE-2026-44547 — ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and...

vulnerabilityCVEcriticalhigh-severitycwe-287cwe-304
/SCW Vulnerability Desk /CRITICAL /9.6 /⚑ 3 IOCs /⚙ 2 Sigma