Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1892+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. ChurchCRM Plugin RCE via Malicious ZIP Upload — CVE-2026-58409
ChurchCRM Plugin RCE via Malicious ZIP Upload — CVE-2026-58409

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-58409

ChurchCRM Plugin RCE via Malicious ZIP Upload — CVE-2026-58409

A critical authenticated RCE vulnerability in ChurchCRM allows administrators to achieve remote code execution by uploading a malicious plugin ZIP containing a PHP webshell. CVSS 9.1. Fixed in v7.4.0.

Dylan H.

Security Team

July 14, 2026
4 min read

Affected Products

  • ChurchCRM < 7.4.0

Executive Summary

A critical remote code execution (RCE) vulnerability has been disclosed in ChurchCRM, a widely deployed open-source church management system. Tracked as CVE-2026-58409 with a CVSS score of 9.1, the flaw allows any authenticated administrator to execute arbitrary code on the server by uploading a malicious plugin ZIP archive containing a PHP webshell.

The vulnerability has been fixed in ChurchCRM version 7.4.0. All earlier versions are affected.


Vulnerability Overview

Root Cause

ChurchCRM's plugin installation feature accepts ZIP archives but fails to properly restrict the file types extracted from those archives. The application explicitly includes php in its ALLOWED_EXTENSIONS list, permitting PHP files to be extracted and placed in a web-accessible directory. An attacker who can authenticate as an administrator can abuse this to plant a PHP webshell and achieve arbitrary OS command execution.

AttributeValue
CVE IDCVE-2026-58409
CVSS Score9.1 (Critical)
TypeAuthenticated Remote Code Execution
Attack VectorNetwork
AuthenticationRequired (Administrator)
Privileges RequiredHigh (Admin)
User InteractionNone
ExploitationProof-of-concept available

Affected Versions

ProductAffected VersionsFixed Version
ChurchCRM< 7.4.07.4.0

Technical Details

Attack Flow

  1. Attacker authenticates to ChurchCRM with administrator credentials (obtained through credential stuffing, phishing, or insider access).
  2. Attacker navigates to the plugin management interface and uploads a crafted ZIP archive.
  3. The ZIP archive contains a PHP webshell (e.g., shell.php) embedded within the plugin structure.
  4. ChurchCRM extracts the ZIP contents — including the PHP file — into a web-accessible directory because php is listed in ALLOWED_EXTENSIONS.
  5. The attacker accesses the webshell via HTTP, achieving arbitrary OS command execution as the web server user.

Why CVSS 9.1 Despite Requiring Admin Authentication

The high CVSS score reflects:

  • Full system compromise once exploited (confidentiality, integrity, and availability all impacted)
  • No secondary user interaction required after upload
  • Post-exploitation pivot potential — webshell provides persistent access that survives admin password changes
  • Many ChurchCRM deployments have shared or weak admin credentials

Impact

Successful exploitation allows an attacker to:

  • Execute arbitrary OS commands on the web server
  • Read, modify, or delete all application data (congregation records, financial data, personal information)
  • Pivot laterally into the host network if the server has internal network access
  • Install persistent backdoors surviving ChurchCRM updates
  • Access any credentials or API keys stored on the server

Remediation

Immediate Actions

  1. Upgrade to ChurchCRM 7.4.0 — the fix removes php from the list of allowed plugin archive extensions and adds server-side validation of extracted file types.
  2. Audit plugin directory — Check for unexpected .php files in the plugin/upload directories. Any files not matching legitimate plugins should be treated as indicators of compromise.
  3. Review administrator accounts — Remove unused admin accounts and enforce strong passwords with MFA where possible.

If Patching Is Delayed

  • Disable the plugin installation feature via application configuration or firewall rules restricting access to the plugin upload endpoint.
  • Place ChurchCRM behind authentication (e.g., VPN or network-level access control) to reduce exposure surface.
  • Monitor web server logs for suspicious PHP file accesses in plugin directories.

Detection

IndicatorDescription
Unexpected .php files in plugin directoriesPlanted webshell
HTTP requests to unknown PHP files in plugin pathsWebshell execution
Outbound connections from web server processC2 or data exfiltration
Admin login from unusual IP followed by plugin uploadExploitation attempt

Key Takeaways

  1. CVSS 9.1 — Authenticated RCE via malicious plugin ZIP upload
  2. PHP allowed in plugin archives — root cause; fixed in ChurchCRM 7.4.0
  3. Upgrade immediately — all ChurchCRM installations prior to 7.4.0 are vulnerable
  4. Audit for compromise — check plugin directories for unexpected PHP files
  5. Limit admin access — reduce the pool of accounts that could be leveraged for exploitation

References

  • NVD — CVE-2026-58409
  • ChurchCRM GitHub — Release 7.4.0
#CVE-2026-58409#ChurchCRM#RCE#PHP#Plugin#WebShell

Related Articles

CVE-2026-15488: Unrestricted File Upload in shiroiAdmin Enables Remote Code Execution

A high-severity unrestricted file upload vulnerability in shiroiAdmin versions 1.1 and 1.3 allows unauthenticated remote attackers to upload PHP webshells and achieve remote code execution.

4 min read

CVE-2026-14635: Unrestricted File Upload RCE in CodeIgniter Ecommerce Bootstrap

A high-severity unrestricted file upload vulnerability in the kirilkirkov Ecommerce-CodeIgniter-Bootstrap allows authenticated vendor users to upload...

3 min read

CVE-2026-14637: PHP Deserialization RCE in CodeIgniter Ecommerce Bootstrap Shopping Cart

A high-severity PHP deserialization vulnerability in the kirilkirkov Ecommerce-CodeIgniter-Bootstrap allows attackers to inject malicious serialized...

4 min read
Back to all Security Alerts