CVE-2025-28983 is a critical SQL Injection vulnerability (CWE-89) found in ClickandPledge's Click & Pledge Connect product, specifically affecting versions from 25.04010101 through WP6.8. This vulnerability arises due to improper neutralization of special elements in SQL commands, allowing an attacker to inject malicious SQL code. Exploitation requires no authentication or user interaction, and the attack vector is network-based, making it remotely exploitable. Successful exploitation can lead to full compromise of the underlying database, resulting in unauthorized access to sensitive data, modification or deletion of data, and privilege escalation within the application. The CVSS v3.1 base score is 9.8, reflecting the high impact on confidentiality, integrity, and availability, combined with the ease of exploitation. Although no known exploits are currently reported in the wild, the vulnerability's characteristics make it a prime target for attackers once exploit code becomes available. The lack of available patches at the time of disclosure increases the urgency for mitigation. Given that Click & Pledge Connect is a platform often used for online payment processing and fundraising activities, the compromise could lead to significant data breaches and financial fraud.

For European organizations using Click & Pledge Connect, this vulnerability poses a severe risk. The ability to perform SQL Injection without authentication means attackers can remotely access and manipulate sensitive financial and personal data, potentially violating GDPR and other data protection regulations. This could result in substantial legal penalties, reputational damage, and financial losses. Organizations involved in non-profits, fundraising, or payment processing are particularly at risk, as attackers could alter transaction records or exfiltrate donor information. The potential for privilege escalation also means attackers could gain administrative control over the application, facilitating further lateral movement within the network. The disruption of availability could impact business continuity, especially for organizations relying on the platform for critical fundraising campaigns or payment operations.

Immediate mitigation steps include implementing Web Application Firewalls (WAFs) with specific SQL Injection detection and blocking rules tailored to the Click & Pledge Connect application traffic. Network segmentation should be enforced to limit access to the application backend and database servers. Organizations should conduct thorough input validation and parameterized query reviews in any custom integrations with the platform. Monitoring and logging of database queries and application logs should be enhanced to detect anomalous activities indicative of SQL Injection attempts. Until an official patch is released, consider restricting access to the application to trusted IP ranges or VPN-only access where feasible. Regular backups of the database should be maintained and tested for integrity to enable recovery in case of data tampering. Finally, organizations should stay alert for vendor advisories and apply patches promptly once available.