CVE-2025-57896 is a medium-severity vulnerability classified under CWE-862 (Missing Authorization) affecting the software product Church Admin developed by andy_moyle. The vulnerability arises due to incorrectly configured access control security levels, which leads to missing authorization checks within the application. This means that certain operations or data access controls that should require proper authorization are either absent or improperly enforced. The vulnerability affects versions of Church Admin up to and including 5.0.26, though the exact range is not fully specified (noted as 'n/a' for affected versions). The CVSS v3.1 base score is 5.3, indicating a medium impact. The vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) reveals that the vulnerability can be exploited remotely over the network without requiring any privileges or user interaction. The impact is limited to integrity loss, with no confidentiality or availability impact. Specifically, an attacker can perform unauthorized actions or modify data that should be protected by access controls, potentially leading to data tampering or unauthorized administrative actions within the Church Admin system. No known exploits are currently reported in the wild, and no patches or fixes have been linked yet. The vulnerability was published on August 22, 2025, and assigned by Patchstack. Church Admin is a software product typically used by religious organizations to manage administrative tasks, membership, events, and related data.

For European organizations, particularly religious institutions and churches using Church Admin, this vulnerability poses a risk of unauthorized data modification or administrative abuse. The integrity of membership records, event details, financial contributions, and other sensitive administrative data could be compromised. This could lead to misinformation, disruption of organizational operations, or loss of trust among community members. While confidentiality and availability are not directly impacted, the integrity loss could have reputational consequences and potentially violate data protection regulations such as GDPR if unauthorized changes affect personal data accuracy or processing. Additionally, unauthorized administrative actions could lead to further security misconfigurations or data exposure. Given the remote exploitability without authentication or user interaction, attackers could target vulnerable Church Admin instances exposed to the internet or accessible within organizational networks. The lack of known exploits in the wild suggests limited current exploitation but also highlights the importance of proactive mitigation to prevent future attacks.

1. Immediate mitigation should include restricting network exposure of Church Admin instances, ensuring they are not publicly accessible unless absolutely necessary. Use network segmentation and firewalls to limit access to trusted users and IP ranges. 2. Implement strict access control policies at the network and application layers, including multi-factor authentication for administrative access where possible. 3. Monitor logs and audit trails for unusual or unauthorized activities within Church Admin to detect potential exploitation attempts early. 4. Since no patches are currently available, consider applying virtual patching via Web Application Firewalls (WAF) that can block suspicious requests targeting access control weaknesses. 5. Engage with the vendor or community maintaining Church Admin to obtain updates or patches as soon as they are released. 6. Conduct a thorough review of Church Admin configurations and permissions to ensure that access control settings are correctly applied and that no overly permissive roles exist. 7. Educate administrative users about the risks and encourage prompt reporting of anomalies. 8. Plan for timely patching once a fix is available and validate the patch effectiveness through testing.