DNA View

High Severity Vulnerability

This vulnerability has been rated as High severity. Immediate action is recommended.

CVE-2026-40581

High

Low Medium High Critical

8.1

CVSS Score

Published: Apr 18, 2026

Last Modified: Apr 18, 2026

CWE: CWE-352

Vulnerability Description

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An attacker can craft a malicious page that, when visited by an authenticated administrator, silently triggers deletion of targeted family records including associated notes, pledges, persons, and property data without any user interaction. This issue has been fixed in version 7.2.0.

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

References & Resources

Severity Details

8.1

out of 10.0

High

Weakness Type (CWE)

CWE-352 Top 25 #4

Cross-Site Request Forgery (CSRF)

Description: The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Exploit Likelihood: Medium
Typical Severity: High
OWASP Top 10: A01:2021-Broken Access Control
Abstraction Level: Compound