CVE-2025-66313 identifies a time-based blind SQL injection vulnerability in ChurchCRM, an open-source church management system widely used for managing congregation data. The vulnerability exists in versions 6.2.0 and earlier within the handling of the 1FieldSec parameter. Specifically, the application fails to properly sanitize or parameterize this input before incorporating it into SQL queries. An attacker can exploit this by injecting SQL commands such as SLEEP(), which causes deterministic delays in server responses. These delays confirm that the input is executed as part of the SQL query, allowing blind SQL injection techniques to extract or modify data without direct feedback. The vulnerability requires the attacker to have high privileges (PR:H) but does not require user interaction or authentication tokens. The CVSS 4.0 score is 5.1 (medium severity), reflecting the moderate impact on confidentiality and integrity, with limited impact on availability. No patches or known exploits are currently available, but the flaw represents a significant risk to data confidentiality and integrity within affected ChurchCRM deployments. The vulnerability is classified under CWE-89, indicating improper neutralization of special elements used in SQL commands.

For European organizations using ChurchCRM, this vulnerability could lead to unauthorized access to sensitive personal and organizational data, including member information, donation records, and internal communications. Data exfiltration or unauthorized modification could damage organizational reputation, violate data protection regulations such as GDPR, and lead to legal and financial consequences. The requirement for high privileges limits the attack surface to insiders or compromised accounts, but the lack of user interaction needed means automated exploitation is feasible once access is obtained. The medium severity rating suggests moderate risk, but the potential for data breaches in religious organizations, which often hold sensitive community data, is significant. Disruption to data integrity could also affect operational continuity. Given the open-source nature of ChurchCRM, European churches and related organizations should be vigilant in monitoring and mitigating this threat.

1. Monitor ChurchCRM project channels for official patches and apply updates promptly once available. 2. Until patches are released, restrict access to the vulnerable 1FieldSec parameter by implementing strict input validation and sanitization at the application or web server level. 3. Deploy Web Application Firewalls (WAFs) with rules specifically designed to detect and block SQL injection attempts, including time-based blind techniques. 4. Limit user privileges strictly to reduce the risk of high-privilege account compromise, employing the principle of least privilege. 5. Conduct regular security audits and penetration testing focused on injection flaws within ChurchCRM deployments. 6. Implement network segmentation to isolate ChurchCRM servers from broader organizational networks to limit lateral movement in case of compromise. 7. Educate administrators and users about the risks of SQL injection and encourage strong credential management to prevent privilege escalation.