CVE-2025-67751 is a SQL injection vulnerability classified under CWE-89 affecting ChurchCRM, an open-source church management system. The flaw exists in the EventEditor.php file in versions prior to 6.5.0, specifically in the handling of the EN_tyid POST parameter when creating new events. This parameter is not properly sanitized, allowing an authenticated user with the isAddEvent permission to inject arbitrary SQL commands. The vulnerability enables attackers to manipulate backend database queries, potentially leading to unauthorized data disclosure, data modification, or deletion, and disruption of service. The CVSS v3.1 base score is 7.2, reflecting high severity due to network attack vector, low attack complexity, required privileges, no user interaction, and high impact on confidentiality, integrity, and availability. No public exploits are currently known, but the vulnerability is critical for organizations relying on ChurchCRM for managing sensitive community data. The fix in version 6.5.0 involves proper input validation and sanitization of the EN_tyid parameter to prevent injection attacks.

For European organizations using ChurchCRM, this vulnerability could lead to severe consequences including unauthorized access to sensitive personal and organizational data, data corruption, or complete loss of service availability. Given that ChurchCRM is used by religious and community organizations, a successful exploit could damage trust, violate data protection regulations such as GDPR, and cause operational disruptions. The ability to execute arbitrary SQL commands means attackers could exfiltrate confidential information or alter records, impacting data integrity. Since the vulnerability requires authenticated access with event management permissions, insider threats or compromised accounts pose a significant risk. The impact extends beyond data loss to potential reputational damage and legal liabilities under European data protection laws.

European organizations should immediately upgrade ChurchCRM installations to version 6.5.0 or later to apply the official patch. Until upgrading is possible, restrict event management permissions (isAddEvent) to the minimum necessary users and monitor logs for suspicious activity related to event creation. Implement web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the EN_tyid parameter. Conduct regular security audits and penetration testing focusing on input validation controls. Additionally, enforce strong authentication and session management to reduce the risk of compromised accounts. Backup databases frequently and verify backup integrity to enable recovery in case of data corruption. Finally, educate administrators and users about the risks of privilege misuse and encourage prompt application of security updates.