CVE-2025-68112 is a high-severity SQL injection vulnerability affecting ChurchCRM, an open-source church management system widely used for managing member data, events, and financial records. The flaw exists in the Event Attendee Editor component in versions prior to 6.5.3, where improper neutralization of special elements in SQL commands allows authenticated users to inject malicious SQL code. This vulnerability falls under CWE-89, indicating improper input sanitization leading to SQL injection. Exploitation requires only authenticated access, which may be obtained by legitimate users or through compromised credentials. Once exploited, attackers can execute arbitrary SQL commands on the backend database, enabling them to extract sensitive data such as member personal information, authentication credentials, and financial details. Furthermore, attackers can manipulate or delete data, escalate privileges by stealing administrative credentials, and potentially take over the entire system. The vulnerability has a CVSS v3.1 base score of 9.6, reflecting its critical impact on confidentiality and integrity with network attack vector, low attack complexity, and no user interaction required. Although no public exploits have been reported yet, the critical nature and ease of exploitation make timely patching essential. The vendor addressed the issue in ChurchCRM version 6.5.3 by implementing proper input validation and sanitization to prevent SQL injection attacks.

For European organizations using ChurchCRM, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive data, including personal member information and financial records. Exploitation could lead to large-scale data breaches, violating GDPR and other data protection regulations, resulting in legal penalties and reputational damage. Administrative credential theft could allow attackers to gain full control over the CRM system, potentially disrupting church operations and associated services. The exposure of financial data could also lead to fraud or financial loss. Given the critical severity and the network-based attack vector, unpatched systems are highly vulnerable to remote exploitation by insiders or attackers who have obtained user credentials. This threat is particularly impactful for European churches and religious organizations that rely on ChurchCRM for managing sensitive community data and financial transactions.

European organizations should immediately upgrade ChurchCRM installations to version 6.5.3 or later, where the vulnerability is patched. Until the upgrade is applied, restrict access to the Event Attendee Editor to trusted and verified users only, and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise. Conduct thorough audits of user accounts and permissions to ensure that only necessary personnel have access to sensitive modules. Implement network segmentation and firewall rules to limit access to the CRM system from untrusted networks. Monitor database and application logs for unusual SQL queries or access patterns indicative of exploitation attempts. Regularly back up CRM data securely to enable recovery in case of compromise. Additionally, apply web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the vulnerable endpoints. Finally, educate users about the risks of credential sharing and phishing attacks that could lead to unauthorized access.