CVE-2025-10404 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode Baptism Information Management System, specifically affecting an unknown function within the /rptbaptismal.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which can be manipulated by an attacker to inject malicious SQL code. This injection flaw allows an unauthenticated attacker to execute arbitrary SQL commands remotely without any user interaction, potentially leading to unauthorized data access or modification. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges or user interaction required. The impact on confidentiality, integrity, and availability is low to medium, suggesting that while the attacker can manipulate data or extract information, the scope and severity of damage are somewhat limited. No official patches or mitigations have been published yet, and although the exploit has been made public, there are no confirmed reports of exploitation in the wild. The vulnerability affects only version 1.0 of the product, which is a niche application designed to manage baptismal records, likely used by religious organizations or institutions maintaining such data digitally.

For European organizations, the impact of this vulnerability depends largely on the adoption of the itsourcecode Baptism Information Management System within religious or community institutions. If deployed, exploitation could lead to unauthorized disclosure or alteration of sensitive personal data related to baptismal records, which may include personal identifiers and religious affiliations. This could result in privacy violations under GDPR, reputational damage, and potential legal consequences. Additionally, data integrity compromise could disrupt record-keeping and administrative processes. However, given the specialized nature of the software and the medium severity rating, widespread critical infrastructure impact is unlikely. The remote and unauthenticated nature of the exploit increases risk, especially for organizations that have not implemented network-level protections or input validation controls. The absence of confirmed exploitation in the wild suggests limited immediate threat but does not preclude targeted attacks against vulnerable installations.

Organizations using the itsourcecode Baptism Information Management System version 1.0 should immediately conduct an inventory to identify affected systems. In the absence of an official patch, implement the following mitigations: 1) Apply strict input validation and parameterized queries or prepared statements in the /rptbaptismal.php script to sanitize the 'ID' parameter and prevent SQL injection. 2) Restrict network access to the application, limiting exposure to trusted internal networks or VPNs to reduce remote attack surface. 3) Employ Web Application Firewalls (WAFs) configured to detect and block SQL injection attempts targeting the vulnerable endpoint. 4) Monitor logs for suspicious query patterns or repeated access attempts to /rptbaptismal.php with anomalous parameters. 5) Plan for an upgrade or replacement of the vulnerable system once a vendor patch or secure version is available. 6) Educate administrators about the risks and ensure backups of baptismal data are maintained securely to enable recovery in case of compromise.