CVE-2025-10405 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode Baptism Information Management System, specifically within the /listbaptism.php file. The vulnerability arises from improper sanitization or validation of the 'bapt_id' parameter, which is susceptible to malicious input manipulation. An attacker can remotely exploit this vulnerability without any authentication or user interaction, by crafting specially crafted requests to the vulnerable parameter. Successful exploitation could allow the attacker to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data access, data modification, or deletion. The CVSS 4.0 base score of 6.9 (medium severity) reflects the network attack vector, low attack complexity, no privileges or user interaction required, but with limited impact on confidentiality, integrity, and availability. Although no known exploits are currently observed in the wild, the public disclosure of the vulnerability increases the risk of exploitation. The lack of available patches or mitigations from the vendor further elevates the urgency to implement protective measures. Given the nature of the application, which manages sensitive baptismal records, unauthorized access could lead to privacy violations and data integrity issues within religious or community organizations using this system.

For European organizations, particularly religious institutions, churches, or community centers that utilize the itsourcecode Baptism Information Management System, this vulnerability poses a significant risk to the confidentiality and integrity of personal and religious data. Unauthorized access or manipulation of baptism records could lead to privacy breaches, reputational damage, and potential legal consequences under the EU's GDPR framework. Additionally, data tampering could disrupt organizational operations and trust within communities. Although the system's niche use limits the scope, any affected organization could face operational disruptions and compliance challenges. The remote and unauthenticated nature of the exploit increases the threat level, especially for organizations with internet-facing installations of the vulnerable software without adequate network protections.

Given the absence of official patches, European organizations should immediately implement the following mitigations: 1) Apply Web Application Firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting the 'bapt_id' parameter in /listbaptism.php. 2) Restrict network access to the application by limiting exposure to trusted IP ranges or internal networks only, preventing unauthorized external access. 3) Conduct thorough input validation and sanitization on all user-supplied data at the application or proxy level, if possible, to neutralize injection payloads. 4) Monitor application logs and network traffic for anomalous queries or repeated failed attempts indicative of exploitation attempts. 5) Consider isolating the database with strict least-privilege access controls to minimize the impact of a successful injection. 6) Engage with the vendor or community to seek or develop patches or updated versions addressing this vulnerability. 7) Educate administrators and users about the risks and signs of exploitation to enable rapid detection and response.