ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the Event parameter under the Event Attendance reports module.
https://github.com/blakduk/Advisories/blob/main/ChurchCRM/README.md
https://github.com/ChurchCRM/CRM/issues/6441
https://github.com/ChurchCRM/CRM/
http://packetstormsecurity.com/files/172047/ChurchCRM-4.5.3-SQL-Injection.html