Executive Summary
A critical remote code execution (RCE) vulnerability has been disclosed in ChurchCRM, a widely deployed open-source church management system. Tracked as CVE-2026-58409 with a CVSS score of 9.1, the flaw allows any authenticated administrator to execute arbitrary code on the server by uploading a malicious plugin ZIP archive containing a PHP webshell.
The vulnerability has been fixed in ChurchCRM version 7.4.0. All earlier versions are affected.
Vulnerability Overview
Root Cause
ChurchCRM's plugin installation feature accepts ZIP archives but fails to properly restrict the file types extracted from those archives. The application explicitly includes php in its ALLOWED_EXTENSIONS list, permitting PHP files to be extracted and placed in a web-accessible directory. An attacker who can authenticate as an administrator can abuse this to plant a PHP webshell and achieve arbitrary OS command execution.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-58409 |
| CVSS Score | 9.1 (Critical) |
| Type | Authenticated Remote Code Execution |
| Attack Vector | Network |
| Authentication | Required (Administrator) |
| Privileges Required | High (Admin) |
| User Interaction | None |
| Exploitation | Proof-of-concept available |
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| ChurchCRM | < 7.4.0 | 7.4.0 |
Technical Details
Attack Flow
- Attacker authenticates to ChurchCRM with administrator credentials (obtained through credential stuffing, phishing, or insider access).
- Attacker navigates to the plugin management interface and uploads a crafted ZIP archive.
- The ZIP archive contains a PHP webshell (e.g.,
shell.php) embedded within the plugin structure. - ChurchCRM extracts the ZIP contents — including the PHP file — into a web-accessible directory because
phpis listed inALLOWED_EXTENSIONS. - The attacker accesses the webshell via HTTP, achieving arbitrary OS command execution as the web server user.
Why CVSS 9.1 Despite Requiring Admin Authentication
The high CVSS score reflects:
- Full system compromise once exploited (confidentiality, integrity, and availability all impacted)
- No secondary user interaction required after upload
- Post-exploitation pivot potential — webshell provides persistent access that survives admin password changes
- Many ChurchCRM deployments have shared or weak admin credentials
Impact
Successful exploitation allows an attacker to:
- Execute arbitrary OS commands on the web server
- Read, modify, or delete all application data (congregation records, financial data, personal information)
- Pivot laterally into the host network if the server has internal network access
- Install persistent backdoors surviving ChurchCRM updates
- Access any credentials or API keys stored on the server
Remediation
Immediate Actions
- Upgrade to ChurchCRM 7.4.0 — the fix removes
phpfrom the list of allowed plugin archive extensions and adds server-side validation of extracted file types. - Audit plugin directory — Check for unexpected
.phpfiles in the plugin/upload directories. Any files not matching legitimate plugins should be treated as indicators of compromise. - Review administrator accounts — Remove unused admin accounts and enforce strong passwords with MFA where possible.
If Patching Is Delayed
- Disable the plugin installation feature via application configuration or firewall rules restricting access to the plugin upload endpoint.
- Place ChurchCRM behind authentication (e.g., VPN or network-level access control) to reduce exposure surface.
- Monitor web server logs for suspicious PHP file accesses in plugin directories.
Detection
| Indicator | Description |
|---|---|
Unexpected .php files in plugin directories | Planted webshell |
| HTTP requests to unknown PHP files in plugin paths | Webshell execution |
| Outbound connections from web server process | C2 or data exfiltration |
| Admin login from unusual IP followed by plugin upload | Exploitation attempt |
Key Takeaways
- CVSS 9.1 — Authenticated RCE via malicious plugin ZIP upload
- PHP allowed in plugin archives — root cause; fixed in ChurchCRM 7.4.0
- Upgrade immediately — all ChurchCRM installations prior to 7.4.0 are vulnerable
- Audit for compromise — check plugin directories for unexpected PHP files
- Limit admin access — reduce the pool of accounts that could be leveraged for exploitation