ChurchCRM, an open-source church management system, suffers from a SQL injection vulnerability identified as CVE-2025-66395, classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The vulnerability is located in the src/ListEvents.php file, specifically in the handling of the WhichType POST parameter used to filter events by type. This parameter is neither properly sanitized nor type-casted before being incorporated into multiple SQL queries. Consequently, any authenticated user, regardless of privilege level, can inject arbitrary SQL commands. This includes time-based blind SQL injection techniques, enabling attackers to extract, modify, or delete sensitive data from the backend database. The vulnerability affects all versions prior to 6.5.3, which includes a patch that properly sanitizes the input. The CVSS v3.1 score is 8.8 (high), reflecting network attack vector, low attack complexity, required privileges (authenticated user), no user interaction, and high impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the vulnerability’s characteristics make it a significant threat to organizations using ChurchCRM.

For European organizations using ChurchCRM, this vulnerability poses a substantial risk to the confidentiality, integrity, and availability of sensitive data, including personal information, financial records, and user credentials. Given the GDPR regulations, any data breach resulting from exploitation could lead to severe legal and financial penalties. The ability for any authenticated user to execute arbitrary SQL commands means insider threats or compromised low-privilege accounts could escalate into full database compromise. This could disrupt church operations, damage reputations, and expose sensitive community data. The impact extends beyond data loss to potential service outages if attackers delete or corrupt critical data. Organizations relying on ChurchCRM for member management and financial tracking must prioritize patching to avoid these risks.

European organizations should immediately upgrade ChurchCRM installations to version 6.5.3 or later, where the vulnerability is patched. Until upgrades are applied, implement strict access controls to limit authenticated user accounts and monitor for unusual database queries or application behavior indicative of SQL injection attempts. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection payloads targeting the WhichType parameter. Conduct regular code reviews and penetration testing focused on input validation and sanitization. Additionally, enforce the principle of least privilege for user accounts within ChurchCRM to reduce the risk posed by compromised credentials. Maintain comprehensive logging and alerting on database queries to detect exploitation attempts early. Finally, ensure backups are current and tested to enable recovery from data corruption or deletion.