CVE-2025-66313 is a time-based blind SQL injection vulnerability identified in ChurchCRM, an open-source church management system widely used for managing congregation data and activities. The vulnerability exists in versions 6.2.0 and earlier, specifically in the handling of the 1FieldSec parameter. The flaw stems from improper neutralization of special elements in SQL commands (CWE-89), allowing an attacker to inject SQL payloads such as SLEEP() functions that cause deterministic delays in server response times. This behavior confirms that the input is directly incorporated into SQL queries without proper parameterization or sanitization. Exploiting this vulnerability requires the attacker to have high-level privileges (PR:H) but does not require user interaction (UI:N) or authentication tokens beyond those privileges. The impact includes the ability to exfiltrate sensitive data or modify database contents through blind SQL injection techniques, compromising confidentiality and integrity. The CVSS 4.0 score is 5.1 (medium severity), reflecting the moderate risk due to the need for authenticated high privileges and the lack of known active exploits. No patches or fixes are currently published, increasing the urgency for organizations to implement compensating controls. The vulnerability does not affect availability directly but could lead to data breaches or unauthorized data manipulation if exploited.

For European organizations using ChurchCRM, this vulnerability could lead to unauthorized disclosure of sensitive personal and organizational data managed within the CRM, including member information, donation records, and event details. Data integrity could also be compromised, potentially disrupting church operations or causing reputational damage. Given that exploitation requires high privileges, insider threats or compromised administrator accounts pose the greatest risk. The absence of known exploits reduces immediate risk but does not eliminate it, especially as attackers may develop exploits over time. Organizations relying on ChurchCRM for critical community management functions could face regulatory scrutiny under GDPR if personal data is exposed. The medium severity rating indicates a moderate but actionable threat that should be addressed promptly to avoid escalation or lateral movement within networks.

1. Restrict access to ChurchCRM administrative interfaces and ensure that only trusted, authenticated users have high-level privileges. 2. Implement strict input validation and sanitization on all user-supplied parameters, especially 1FieldSec, to prevent injection of SQL commands. 3. Deploy Web Application Firewalls (WAFs) with rules specifically targeting SQL injection patterns, including time-based blind injection techniques. 4. Monitor database query logs and application logs for unusual delays or anomalous queries indicative of injection attempts. 5. Isolate ChurchCRM instances in segmented network zones to limit potential lateral movement if compromised. 6. Regularly audit user privileges and revoke unnecessary high-level access. 7. Stay informed about official patches or updates from ChurchCRM and apply them immediately upon release. 8. Consider temporary workarounds such as disabling or restricting the vulnerable parameter usage until a patch is available.