CVE-2026-42289

Description

ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when visited by an authenticated administrator, silently elevates any low-privilege user to full administrator or creates a new admin backdoor account without the victim's knowledge This vulnerability is fixed in 7.3.2.

Predictions

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

References

• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-3xq9-c86x-cwpp
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-3xq9-c86x-cwpp

CWEs

CWE-269 CWE-306 CWE-352