CVE-2025-66396 is a SQL injection vulnerability identified in ChurchCRM, an open-source church management system, affecting versions prior to 6.5.3. The flaw exists in the src/UserEditor.php file, specifically in the handling of the 'type' POST parameter array during the saving of user configuration settings by administrators. The vulnerability stems from the failure to properly sanitize or validate the keys of the 'type' array, which are expected to be numeric IDs but are directly used in SQL queries without any type casting or escaping. The code extracts the key using key($type) and assigns it to the $id variable, which is then concatenated into SELECT and UPDATE SQL statements. This improper neutralization of special elements (CWE-89) enables a malicious or compromised administrator to perform arbitrary SQL injection attacks, including time-based blind SQL injection. The impact includes the ability to manipulate the database directly, bypass application-level controls, exfiltrate sensitive data such as user credentials and financial records, modify or delete data, and potentially escalate the attack to write files on the server depending on database privileges. The vulnerability requires administrator-level access, which limits exploitation to insiders or attackers who have compromised admin credentials. The issue was addressed and patched in ChurchCRM version 6.5.3. The CVSS v3.1 base score is 7.2, reflecting high severity due to network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild as of the publication date.

For European organizations using ChurchCRM, this vulnerability poses a significant risk due to the potential for complete database compromise by malicious insiders or attackers who have gained administrator credentials. The ability to execute arbitrary SQL commands can lead to unauthorized access to sensitive personal data, including personal identifiers, financial information, and user credentials, which is critical under GDPR regulations. Data integrity and availability are also at risk, as attackers could modify or delete records, disrupting operations and trust. Additionally, depending on database permissions, attackers might escalate the attack to compromise the underlying server, leading to broader network infiltration. The insider threat aspect is particularly concerning for churches and religious organizations that may have limited cybersecurity resources. Failure to patch could result in regulatory penalties, reputational damage, and operational disruptions.

European organizations should immediately upgrade ChurchCRM installations to version 6.5.3 or later to remediate this vulnerability. Until patched, restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise. Conduct regular audits of administrator activities and monitor database queries for unusual patterns indicative of SQL injection attempts. Implement database-level protections such as least privilege principles, ensuring the database user ChurchCRM connects with has minimal permissions necessary, preventing file writes or system commands. Employ web application firewalls (WAFs) with rules to detect and block SQL injection payloads targeting the affected endpoints. Additionally, review and sanitize all user input rigorously in custom code and consider employing parameterized queries or prepared statements to prevent injection vulnerabilities. Finally, maintain regular backups of critical data to enable recovery in case of data tampering or loss.