CVE-2025-67877 is a SQL injection vulnerability identified in the open-source ChurchCRM software, specifically in versions prior to 6.5.3. The vulnerability arises from improper input validation in the src/CartToFamily.php file, where the PersonAddress POST parameter is handled without the necessary type casting or sanitization. While other parameters in the same file are securely cast to integers using the InputUtils class, PersonAddress lacks this protection, allowing malicious actors to inject specially crafted SQL commands directly into the backend database query. This flaw falls under CWE-89, which concerns improper neutralization of special elements used in SQL commands. The vulnerability has a CVSS 4.0 base score of 7.4, indicating high severity, with metrics showing network attack vector, low attack complexity, no user interaction, and low privileges required. The impact on confidentiality, integrity, and availability is high, as attackers can manipulate database queries to exfiltrate sensitive data, modify records, or disrupt service. Although no known exploits are currently reported in the wild, the vulnerability is publicly disclosed and fixed in ChurchCRM version 6.5.3. Organizations running vulnerable versions should upgrade promptly to mitigate risk.

For European organizations using ChurchCRM, this vulnerability poses significant risks including unauthorized access to sensitive personal data of church members, alteration or deletion of records, and potential disruption of church management operations. Given that ChurchCRM is used primarily by religious and non-profit organizations, the breach of personal data could lead to privacy violations under GDPR, resulting in regulatory penalties and reputational damage. The ability to execute arbitrary SQL commands could also allow attackers to pivot within the network if the CRM database is integrated with other systems. The lack of required user interaction and low privilege requirements increase the likelihood of exploitation once an attacker has authenticated access, which may be easier to obtain through phishing or credential reuse. The impact is compounded in environments where ChurchCRM databases contain extensive personal or financial information.

European organizations should immediately upgrade ChurchCRM installations to version 6.5.3 or later, where the vulnerability is patched. Until the upgrade is applied, organizations should implement strict input validation and sanitization on the PersonAddress parameter at the web application firewall (WAF) or reverse proxy level to block SQL injection payloads. Employing parameterized queries or prepared statements in custom integrations can further reduce risk. Monitoring database logs for unusual queries and setting up alerts for suspicious activity related to the CartToFamily.php endpoint is recommended. Additionally, enforcing strong authentication controls and limiting user privileges can reduce the attack surface. Regular security audits and penetration testing focused on input validation in ChurchCRM deployments will help detect similar issues proactively.