CVE-2024-25891 is a Blind SQL Injection vulnerability discovered in ChurchCRM version 5.5.0, specifically within the FRBidSheets.php script. The vulnerability arises from improper sanitization of the CurrentFundraiser parameter passed via HTTP GET requests. An attacker can exploit this flaw by sending crafted requests that manipulate the underlying SQL queries, causing the database to execute unintended commands. The injection is time-based, meaning the attacker infers data by measuring response delays, which allows extraction of sensitive information without direct error messages or output. The vulnerability requires no authentication and no user interaction, making it remotely exploitable by any attacker with network access to the ChurchCRM instance. The vulnerability is classified under CWE-89, which covers SQL Injection issues due to improper neutralization of special elements in SQL commands. The CVSS 3.1 score of 7.5 indicates a high severity level, with an attack vector of network, low attack complexity, no privileges required, no user interaction, and impact primarily on confidentiality. No patches or fixes have been published at the time of disclosure, and no known exploits are reported in the wild. This vulnerability poses a risk of data leakage from the ChurchCRM database, potentially exposing sensitive organizational or user information stored within the system.

The primary impact of CVE-2024-25891 is the potential unauthorized disclosure of sensitive data stored in ChurchCRM databases. Since the vulnerability allows blind SQL injection, attackers can extract confidential information such as donor details, fundraising data, or user credentials by leveraging time-based inference techniques. Although the vulnerability does not directly affect data integrity or system availability, the confidentiality breach can lead to privacy violations, reputational damage, and compliance issues for organizations using ChurchCRM. Given that ChurchCRM is used by churches and nonprofit organizations worldwide to manage community and fundraising activities, the exposure of such data could undermine trust and operational security. The ease of exploitation without authentication increases the risk of automated scanning and targeted attacks. Organizations that rely heavily on ChurchCRM for managing sensitive data are at higher risk, especially if the application is exposed to the internet without additional protective controls.

1. Immediate mitigation should include restricting external access to the ChurchCRM instance, ideally limiting it to trusted networks or VPNs to reduce exposure. 2. Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the CurrentFundraiser parameter, focusing on time-based injection signatures. 3. Conduct input validation and sanitization on all user-supplied parameters, especially the CurrentFundraiser GET parameter, to ensure only expected data types and values are accepted. 4. Employ parameterized queries or prepared statements in the FRBidSheets.php code to prevent SQL injection at the source. 5. Monitor application logs for unusual delays or repeated requests targeting the vulnerable parameter, which may indicate exploitation attempts. 6. Engage with the ChurchCRM development community or vendor to obtain or request an official patch or update addressing this vulnerability. 7. Until a patch is available, consider disabling or restricting access to the vulnerable functionality if feasible. 8. Educate administrators and users about the risks and signs of exploitation to improve detection and response capabilities.