ChurchCRM GitHub Issue: CSRF Flaw in UserEditor.php Allowed Silent Admin Privilege Escalation

A critical security vulnerability in the ChurchCRM project's user management system could have allowed attackers to silently elevate any user to full administrator privileges. The flaw, tracked as GHSA-3xq9-c86x-cwpp, was a Cross-Site Request Forgery (CSRF) vulnerability in the `UserEditor.php` file. This component handled sensitive account creation and permission updates but processed all requests solely through `$_POST` parameters without any CSRF token validation. The absence of this protection meant an attacker could craft a malicious webpage that, if visited by an authenticated administrator, would automatically and silently submit a forged request to the server, granting admin rights to a target account.

The vulnerability was located in the core user editing logic. An attacker exploiting this flaw would not need to steal credentials or bypass authentication; they only needed to trick a logged-in administrator into loading a malicious page. The exploit path was direct: a crafted form submission to `/UserEditor.php` could manipulate user roles without the administrator's knowledge or consent, leading to a complete privilege escalation scenario.

The fix, detailed in a GitHub commit, involved adding CSRF token validation to the form processing workflow. The changes to `src/UserEditor.php` include importing the `ChurchCRM\Utils\CSRFUtils` class, calling `CSRFUtils::verifyRequest($_POST, 'user_editor')` before any account modifications, and injecting a corresponding hidden token field into the form itself. Failed validation now triggers a redirect with an "Invalid security token" error. This patch closes the attack vector, but the incident highlights the persistent risk that unvalidated administrative endpoints pose to open-source projects, where a single missing security check can compromise an entire system's access control.