CVE-2025-67751 is an SQL injection vulnerability classified under CWE-89 affecting ChurchCRM, an open-source church management system. The flaw exists in the EventEditor.php file prior to version 6.5.0, specifically in the handling of the EN_tyid POST parameter used when creating new events and selecting event types. This parameter is not properly sanitized, allowing an authenticated user with the isAddEvent permission to inject arbitrary SQL commands. Exploitation can lead to unauthorized data disclosure, data manipulation, or complete compromise of the underlying database, impacting confidentiality, integrity, and availability. The vulnerability requires network access and authenticated privileges but no additional user interaction. The CVSS 3.1 base score is 7.2, reflecting high severity due to low attack complexity and high impact. No public exploits are currently known, but the vulnerability presents a significant risk if exploited. The issue is resolved in ChurchCRM version 6.5.0, which implements proper input validation and sanitization for the EN_tyid parameter.

For European organizations using ChurchCRM, particularly churches, religious institutions, and community groups, this vulnerability poses a serious risk. Exploitation could lead to unauthorized access to sensitive member data, event details, and potentially financial information if stored in the CRM. Data integrity could be compromised by malicious SQL commands altering records, and availability could be disrupted by destructive queries. This could result in reputational damage, legal consequences under GDPR due to data breaches, and operational disruption. Since the vulnerability requires authenticated access with event management permissions, insider threats or compromised credentials increase risk. The impact is amplified in countries with strong data protection regulations and active church communities relying on ChurchCRM for daily operations.

The primary mitigation is to upgrade ChurchCRM installations to version 6.5.0 or later, where the vulnerability is fixed. Organizations should audit and restrict event management permissions (isAddEvent) to only trusted and necessary users to minimize the attack surface. Implement additional input validation and sanitization at the application layer for all user-supplied data, especially POST parameters. Employ database activity monitoring and anomaly detection to identify suspicious SQL queries. Regularly review logs for unauthorized access attempts or unusual behavior. Consider network segmentation to limit access to the CRM system and enforce strong authentication mechanisms, such as multi-factor authentication, for users with elevated privileges. Conduct security awareness training to reduce risks from credential compromise. Finally, maintain up-to-date backups to enable recovery in case of data corruption or loss.