ChurchCRM versions prior to 7.2.0 contain a critical CSRF vulnerability in the family record deletion endpoint (SelectDelete.php). The vulnerability allows permanent, irreversible deletion of family records and associated data via GET requests without CSRF token validation. Attackers can craft malicious pages that silently trigger deletions when visited by authenticated administrators. The vulnerability affects sensitive data including family records, notes, pledges, persons, and property information. The issue has been patched in version 7.2.0.