Church Admin - Insecure deserialization
Summary
| Name | Church Admin 5.0.2 - Insecure deserialization |
| Code name | skims-0005 |
| Product | Church Admin |
| Affected versions | Version 5.0.2 |
| State | Private |
| Release date | 2025-03-14 |
Vulnerability
| Kind | Insecure deserialization |
| Rule | Insecure deserialization |
| Remote | No |
| CVSSv4 Vector | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U |
| CVSSv4 Base Score | 1.7 (Low) |
| Exploit available | No |
| CVE ID(s) | CVE-2025-31290 |
Description
Church Admin 5.0.2 was found to be vulnerable. Unvalidated user input is used directly in an unserialize function in myapp/includes/settings.php.
Vulnerability
Skims by Fluid Attacks discovered a Insecure deserialization in Church Admin 5.0.2. The following is the output of the tool:
Skims output
1371 | function church_admin_restrict_access()
1372 | {
1373 |
1374 | echo'<h1 >'.esc_html( __('Restrict access to address list from certain people','church-admin' ) ).'</h2>';
1375 |
1376 | if(!empty( $_POST['save-restricted'] ) )
1377 | {
> 1378 | if(!empty( $_POST['people'] ) )$people=unserialize(church_admin_get_people_id(sanitize_text_field( $_POST['people'] ) )
1379 | if(!empty( $people) ) {update_option('church-admin-restricted-access',$people);}else{delete_option('church-admin-restr
1380 | }
1381 | $restrictedList=get_option('church-admin-restricted-access');
1382 | $people='';
1383 | if(!empty( $restrictedList) )$people=church_admin_get_people( $restrictedList);
1384 | echo'<p>'.esc_html( __('Restrict access to the directory by certain users','church-admin' ) ).'</p>';
1385 | echo'<form action="""" method=""POST"">';
1386 | echo'<p>'.church_admin_autocomplete('people','friends','to',$people,FALSE).'</p>';
1387 | echo'<input type=""hidden"" name=""save-restricted"" value=""1"" /><input type=""submit"" class=""button-primary"" value=""'.esc_ht
1388 |
1389 |
1390 | }
^ Col 0
Our security policy
We have reserved the ID CVE-2025-31290 to refer to this issue from now on.
System Information
- Product: Church Admin
- Version: 5.0.2
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team using Skims
Timeline
2025-03-14
Vulnerability discovered.
2025-03-14
Vendor contacted.
