ChurchCRM Vulnerability CVE-2026-44548 Allows Unintended Delete Actions via Cross-Site Navigation Prior to 7.3.2

A high-severity cross-site navigation vulnerability has been identified in ChurchCRM, an open-source church management system, affecting versions prior to 7.3.2. Tracked as CVE-2026-44548 with a CVSS score of 8.1, the flaw enables an attacker-controlled page to trigger delete operations on a victim's logged-in session through carefully crafted GET navigation. The vulnerability specifically targets FundRaiserDelete.php, PropertyTypeDelete.php, and NoteDelete.php endpoints, allowing malicious actors to exploit authenticated user sessions by inducing navigation from their own pages to these sensitive delete functions.

The core issue lies in the system's failure to enforce proper request method validation for destructive operations. These endpoints appear to process deletion requests without requiring POST submissions or appropriate CSRF protections, making them susceptible to link-based exploitation when a logged-in user visits a specially crafted webpage. This pattern allows attackers to bypass expected user interaction safeguards by leveraging browser navigation behavior rather than direct form submissions. The vulnerability was disclosed with a public proof-of-concept, increasing its accessibility to potential abusers.

Organizations running unpatched ChurchCRM instances face the risk of unauthorized deletion of fundraisers, property types, and notes without administrator awareness. All deployments should immediately update to version 7.3.2, where the vulnerability has been addressed. Given the platform's use within religious institutions for managing sensitive member and financial data, the potential for data loss or operational disruption makes timely patching a priority for affected system administrators.