ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection vulnerability in the src/CartToFamily.php file, specifically in how the PersonAddress POST parameter is handled. Unlike other parameters in the same file which are correctly cast to integers using the InputUtils class, the PersonAddress parameter is missing the type definition.

This allows an attacker to inject arbitrary SQL commands directly into the query. Version 6.5.3 fixes the issue.