CVE-2022-31325: SQL Injection vulnerability in ChurchCRM 4.4.5 via /churchcrm/WhyCameEditor.php · Issue #6005 · ChurchCRM/CRM

Isn’t admin allowed to make arbitrary SQL queries using QuerySQL.php?

Correct. However, we should be sanitising input appropriately on forms etc. Personally, I’m not a huge fan of the QuerySQL.php but it has made some support cases a lot easier - especially when not all admins are comfortable with phpMyAdmin or CLI MySQL tools.

@tuando243 - thanks for the report. I’ve categorised it as a security bug, but as it requires authenticated access it has limited risk to most setups (except our demo system!).