CVE-2025-10404 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode Baptism Information Management System, specifically affecting an unspecified function within the /rptbaptismal.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which can be manipulated by an attacker to inject malicious SQL commands. This flaw allows an unauthenticated remote attacker to execute arbitrary SQL queries against the backend database without requiring user interaction or privileges. The vulnerability is classified with a CVSS 4.0 base score of 6.9 (medium severity), reflecting its network attack vector, low attack complexity, no required privileges or user interaction, and limited impact on confidentiality, integrity, and availability. Exploitation could lead to unauthorized data disclosure, data modification, or partial disruption of service. Although no public exploits are currently known to be actively used in the wild, the exploit code has been made publicly available, increasing the risk of exploitation by opportunistic attackers. The Baptism Information Management System is a niche application likely used by religious organizations to manage baptismal records, which may contain sensitive personal data. The vulnerability's presence in a web-facing PHP script increases the attack surface, especially if the system is exposed to the internet or accessible within organizational networks without adequate protections.

For European organizations, particularly religious institutions, churches, or affiliated entities using the itsourcecode Baptism Information Management System, this vulnerability poses a risk of unauthorized access to sensitive personal and religious data. The exposure of baptismal records could lead to privacy violations under the GDPR framework, resulting in regulatory penalties and reputational damage. Additionally, attackers exploiting this vulnerability could alter or delete records, undermining data integrity and trustworthiness of the system. While the impact on availability is limited, disruption of access to critical records could affect organizational operations. Given the medium severity and ease of exploitation without authentication, organizations with internet-facing deployments or insufficient network segmentation are at higher risk. The lack of known active exploitation reduces immediate threat but does not eliminate the risk, especially as exploit code is publicly available, potentially increasing attack attempts over time.

Organizations should immediately audit their deployments of the itsourcecode Baptism Information Management System version 1.0 to identify affected instances. Since no official patch is currently provided, mitigation should focus on implementing input validation and parameterized queries or prepared statements in the /rptbaptismal.php script to sanitize the 'ID' parameter and prevent SQL injection. Network-level protections such as web application firewalls (WAFs) should be configured to detect and block SQL injection patterns targeting this endpoint. Restricting access to the application to trusted internal networks or VPNs can reduce exposure. Regular monitoring of logs for suspicious SQL query patterns or anomalous access attempts is recommended. Organizations should also plan to upgrade to a patched version once available or consider alternative software solutions with better security posture. Additionally, conducting security awareness training for administrators on the risks of SQL injection and secure coding practices will help prevent similar vulnerabilities in the future.