CVE-2025-10405 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode Baptism Information Management System. The vulnerability exists in an unspecified function within the /listbaptism.php file, where the 'bapt_id' parameter is improperly sanitized or validated, allowing an attacker to inject malicious SQL code. This injection flaw can be exploited remotely without any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/AT:N/PR:N/UI:N). The vulnerability impacts the confidentiality, integrity, and availability of the backend database, as attackers could potentially extract sensitive data, modify or delete records, or disrupt service availability. The CVSS 4.0 base score of 6.9 classifies this vulnerability as medium severity, reflecting the ease of exploitation combined with limited scope and impact (VC:L/VI:L/VA:L). Although no known exploits are currently reported in the wild, the public disclosure of the vulnerability increases the risk of exploitation by threat actors. The Baptism Information Management System is likely used by religious organizations or institutions to manage baptism records, which may contain personally identifiable information (PII) and sensitive religious data. The lack of patches or mitigation links suggests that users of version 1.0 remain vulnerable until an update or workaround is provided by the vendor or community.

For European organizations, particularly religious institutions, churches, and community centers that utilize the itsourcecode Baptism Information Management System, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive personal and religious data. Exploitation could lead to unauthorized disclosure of baptism records, including names, dates, and potentially other personal identifiers, violating data protection regulations such as the GDPR. Additionally, attackers could manipulate or delete records, undermining trust and operational continuity. The availability of the system could also be impacted if attackers execute destructive SQL commands or cause database corruption. Given the remote and unauthenticated nature of the exploit, attackers can easily target exposed installations, increasing the likelihood of data breaches or service disruptions. The reputational damage and potential legal consequences for mishandling personal data further amplify the impact on affected European organizations.

Organizations should immediately audit their deployments of the itsourcecode Baptism Information Management System to identify any instances of version 1.0 in use. Since no official patches are currently available, administrators should implement the following specific mitigations: 1) Apply input validation and parameterized queries or prepared statements in the /listbaptism.php script to sanitize the 'bapt_id' parameter and prevent SQL injection. 2) Restrict external access to the management system by implementing network-level controls such as firewalls or VPNs to limit exposure to trusted users only. 3) Monitor and log database queries and web application traffic for suspicious activity indicative of injection attempts. 4) Regularly back up baptism data to enable recovery in case of data tampering or loss. 5) Engage with the vendor or community to obtain patches or updates addressing this vulnerability. 6) Conduct security awareness training for administrators to recognize and respond to exploitation attempts. These targeted actions go beyond generic advice by focusing on the specific vulnerable parameter and the operational context of the affected system.