ChurchCRM admin can upload webshell for RCE (CVE-2026-40484)

Overview

A critical vulnerability in ChurchCRM allows an authenticated administrator to achieve remote code execution on the server hosting the application. The flaw is present in the database backup restore feature of versions prior to 7.2.0.

Vulnerability Details

The vulnerability, tracked as CVE-2026-40484 with a CVSS score of 9.1, resides in the restore.php endpoint. When an administrator restores a database backup, the system extracts the uploaded archive and copies files from the Images/ directory into the web server’s document root without validating file types. This allows an attacker with administrator credentials to upload a crafted backup archive containing a PHP webshell. Once restored, this malicious file is placed in a publicly accessible location and can be executed via a simple HTTP request, granting the attacker the ability to run arbitrary commands as the web server user.

Additionally, the restore endpoint lacks Cross-Site Request Forgery (CSRF) protection. This means an attacker could trick a logged-in administrator into unknowingly triggering the restore process by visiting a malicious website, potentially leading to exploitation even without direct access to the administrator’s credentials.

Impact

Successful exploitation grants an attacker full control over the affected ChurchCRM instance and the underlying server with the permissions of the web server process. This can lead to data theft, defacement, installation of persistent malware, or use of the server as a foothold for attacks on other internal network resources. The requirement for administrator credentials is a significant mitigating factor, but the CSRF flaw lowers the barrier for attack.

Remediation and Mitigation

The primary and definitive remediation is to upgrade ChurchCRM to version 7.2.0 or later, where this vulnerability has been patched.

Immediate Actions:

1. Patch: Update all instances of ChurchCRM to version 7.2.0 immediately.
2. Audit: Review server file systems, particularly within the web root, for any unexpected or recently added PHP files, especially in directories related to backups or images.
3. Monitor: Check web server access logs for suspicious requests to PHP files in unusual paths.

If immediate patching is not possible, consider restricting network access to the ChurchCRM admin interface and implementing a Web Application Firewall (WAF) to block suspicious upload and restore requests. These are temporary measures and do not replace the need to apply the official update.

Security Insight

This vulnerability highlights the persistent risk of “feature-rich” administrative functions in web applications, particularly file upload and archive handling. The combination of insufficient input validation and missing CSRF tokens creates a classic attack chain, reminiscent of past incidents in other content management systems. It underscores the necessity for rigorous security reviews of all administrative endpoints, even those intended for trusted users, as they often provide the shortest path to full system compromise. For more on how such vulnerabilities lead to real-world incidents, see our breach reports.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs