Skip to content

SQL injection in PaddleNumEditor.php

High
DawoudIO published GHSA-p3q7-q68q-h2gr Jan 30, 2026

Package

No package listed

Affected versions

6.6.1

Patched versions

None

Description

Date: January 7, 2026
Researcher: Nguyen Truong Son (truongson526@gmail.com)

Summary

A critical SQL Injection vulnerability exists in endpoint /PaddleNumEditor.php in ChurchCRM 6.6.1. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the PerID parameter.

Details

The issue is located in: src/PaddleNumEditor.php
Vulnerable code:
Lines 42-43:

$iNum = InputUtils::legacyFilterInput($_POST['Num']);
$iPerID = InputUtils::legacyFilterInput($_POST['PerID']);

Line 51:
$sqlNumBought = 'SELECT mb_count from multibuy_mb WHERE mb_per_ID=' . $iPerID . ' AND mb_item_ID=' . $di_ID;

  • The values ​​of $iNum and $iPerID are not cast to int type. They are then directly appended to the query on line 51, no escaping, quoting, type enforcement, or parameter binding is applied.

  • Malicious payloads containing ) or -- break logic and execute the vulnerable SQL.

  • Even a user with zero permissions can exploit the vulnerability.

  • A SLEEP(5) payload reliably delays the response, proving SQL execution.

PoC

Video PoC (SQL injection.mkv): https://drive.google.com/drive/u/0/folders/12baz_wj1_MGeMZe6ah5NxqGDlitJFw_e

  1. Log in using user attacker_1 (zero permissions)
1
  1. Go to Fundraiser -> Create New Fundraiser -> Save
2
  1. Click Add Donated Item
3
  1. Name the item, and make sure to check the Sell to everyone (Multiple items) option.
4
  1. Click Save
5
  1. Go to Add Donors to Buyer List, then click Add Buyer
6
  1. Click Save
7
  1. Observing the Burp Proxy, we see a POST request to /PaddleNumEditor.php
8
  1. Replace the value of PerID with -1 or sleep(5)-- -. The response returns after 5 seconds.
9
  1. Check again with sleep(10)
10
  1. Exploiting with sqlmap
  • Save the request to the file request.txt
11
  • Extract databases
12 13

Impact

  • Complete database compromise (read/write/delete)
  • Extraction of all sensitive ChurchCRM data
  • Possible privilege escalation
  • Potential for RCE depending on SQL functions and configuration

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2026-24854

Weaknesses

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. Learn more on MITRE.

Credits