CVE-2025-67877 is a SQL injection vulnerability classified under CWE-89, found in the open-source ChurchCRM church management system. The vulnerability arises from improper input validation in the src/CartToFamily.php file, specifically in the handling of the PersonAddress POST parameter. Unlike other parameters that are cast to integers using the InputUtils class, PersonAddress lacks this type enforcement, allowing malicious actors to inject specially crafted SQL payloads directly into backend queries. This flaw enables attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access, data modification, or deletion within the ChurchCRM database. The vulnerability has a CVSS 4.0 base score of 7.4, indicating high severity, with attack vector being network-based, low attack complexity, no privileges required beyond low-level access, and no user interaction needed. The impact on confidentiality, integrity, and availability is high due to the ability to manipulate database contents. The issue was addressed and fixed in ChurchCRM version 6.5.3. No public exploits have been reported yet, but the vulnerability poses a significant risk to unpatched systems.

For European organizations using ChurchCRM, this vulnerability could lead to severe consequences including unauthorized disclosure of sensitive personal data of church members, manipulation or deletion of critical records, and disruption of church management operations. Given that ChurchCRM is used to manage community and member information, exploitation could result in privacy violations under GDPR, leading to regulatory penalties and reputational damage. The ability to execute arbitrary SQL commands could also allow attackers to pivot within the network or escalate privileges if the database contains credentials or other sensitive configuration data. The lack of required user interaction and low privilege requirements increase the likelihood of exploitation in environments where ChurchCRM is accessible over the network. This threat is particularly relevant for religious organizations, charities, and community groups that rely on ChurchCRM for operational continuity and data management.

European organizations should immediately upgrade ChurchCRM installations to version 6.5.3 or later to remediate this vulnerability. Until patching is possible, organizations should restrict network access to the ChurchCRM application, limiting it to trusted internal users and IP addresses. Implementing Web Application Firewalls (WAFs) with rules to detect and block SQL injection patterns targeting the PersonAddress parameter can provide temporary protection. Conduct thorough input validation and sanitization on all user-supplied data, especially POST parameters, to prevent injection attacks. Regularly audit and monitor database logs for unusual queries or access patterns indicative of exploitation attempts. Additionally, organizations should review and enforce the principle of least privilege on database accounts used by ChurchCRM to minimize potential damage. Finally, ensure backups of ChurchCRM data are current and tested for recovery to mitigate data loss risks.