ChurchCRM 4.4.5 Exposes Critical SQL Injection Flaw in 'Why Came' Editor

A critical SQL injection vulnerability has been publicly disclosed in ChurchCRM version 4.4.5, exposing the church management software's database to potential compromise. The flaw resides in the `/churchcrm/WhyCameEditor.php` endpoint, specifically within the `PersonID` parameter. The vulnerability is exploitable by an authenticated user with administrative privileges, allowing for direct database manipulation and data exfiltration.

The exploit chain is detailed and requires an attacker to first log in as an admin, navigate to a user's profile, and access the 'Edit "Why Came" Notes' function. By intercepting the subsequent HTTP request with a tool like Burp Suite, an attacker can capture the vulnerable `PersonID` parameter. The proof-of-concept demonstrates using the `sqlmap` penetration testing tool against the saved request file (`churchcrm.txt`), successfully injecting the parameter to execute arbitrary SQL commands against the backend database.

This vulnerability poses a direct threat to the confidentiality and integrity of all data managed by ChurchCRM, including sensitive member information, financial records, and internal communications. The public disclosure on a platform like GitHub provides a roadmap for both security researchers and malicious actors, increasing the urgency for administrators to apply patches or mitigations. The flaw highlights persistent security risks in niche but critical software used by religious and non-profit organizations, which often lack dedicated security oversight.