CVE-2025-11529
Published: 09 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-11529 is a missing authentication vulnerability affecting ChurchCRM versions up to 5.18.0. The flaw resides in the AuthMiddleware function within the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php, part of the API Endpoint component. This issue, classified under CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function), allows manipulation that bypasses required authentication checks.
Remote attackers require no privileges (PR:N), can exploit it over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), earning a CVSS v3.1 base score of 7.3 (C:L/I:L/A:L/S:U). Successful exploitation grants unauthorized access to the API endpoint, potentially enabling low-impact disruptions to confidentiality, integrity, and availability, such as reading or modifying limited data.
Mitigation involves applying the patch commit 3a1cffd2aea63d884025949cfbcfd274d06216a4, available via the ChurchCRM GitHub repository (e.g., pull request #7376). Advisories from sources like uartu0's GitHub advisory and VulDB recommend immediate patching, as a public exploit has been released and may facilitate attacks.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a missing authentication flaw in a public-facing web application's API endpoint (ChurchCRM), enabling remote attackers to bypass authentication and access protected functionality, directly mapping to exploitation of public-facing applications.