CVE-2024-25892 identifies a Blind SQL Injection vulnerability in ChurchCRM version 5.5.0, specifically in the ConfirmReport.php file. The vulnerability arises from improper sanitization of the familyId parameter passed via HTTP GET requests, allowing an attacker to inject malicious SQL queries. This is a time-based blind SQL injection, meaning the attacker can infer database information by measuring response delays caused by injected SQL commands. The vulnerability does not require authentication or user interaction, increasing its risk profile. The CVSS v3.1 score of 8.1 reflects high severity, with network attack vector, high attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability. The underlying weakness corresponds to CWE-89, which is improper neutralization of special elements used in SQL commands. Exploiting this vulnerability could allow attackers to extract sensitive data, modify or delete database contents, or disrupt application availability. Although no exploits are currently known in the wild and no patches have been released, the risk remains significant due to the ease of remote exploitation and the critical nature of the data managed by ChurchCRM. Organizations relying on this software should monitor for updates and consider immediate mitigations.

The impact of this vulnerability is substantial for organizations using ChurchCRM 5.5.0. Successful exploitation can lead to unauthorized disclosure of sensitive information stored in the database, including personal data of church members and related entities. Attackers could also alter or delete data, undermining data integrity and potentially disrupting church operations. Availability may be affected if attackers execute commands that cause denial of service or corrupt the database. Given that the vulnerability is exploitable remotely without authentication, attackers can target vulnerable systems from anywhere, increasing the attack surface. Although ChurchCRM is a niche application, the sensitive nature of the data it handles elevates the risk. Organizations may face reputational damage, legal consequences related to data protection regulations, and operational interruptions if this vulnerability is exploited.

To mitigate CVE-2024-25892, organizations should first verify if they are running ChurchCRM version 5.5.0 and restrict access to the ConfirmReport.php endpoint, especially the familyId parameter, by implementing web application firewalls (WAF) with custom rules to detect and block SQL injection patterns. Input validation and parameterized queries should be enforced in the application code to sanitize all user inputs rigorously. Until an official patch is released, consider disabling or restricting the vulnerable functionality if feasible. Network-level controls such as IP whitelisting and VPN access can reduce exposure. Regularly monitor application logs for suspicious query patterns or abnormal response times indicative of time-based SQL injection attempts. Additionally, maintain up-to-date backups of the database to enable recovery in case of data tampering or loss. Engage with the ChurchCRM community or vendor for updates and patches and apply them promptly once available.