CVE-2025-68112 is a critical SQL injection vulnerability identified in the ChurchCRM open-source church management system, specifically affecting versions prior to 6.5.3. The flaw resides in the Event Attendee Editor component, where improper neutralization of special elements in SQL commands allows authenticated users to inject arbitrary SQL code. This vulnerability is classified under CWE-89, indicating improper input sanitization leading to SQL injection. Exploiting this vulnerability enables attackers to execute arbitrary SQL queries on the backend database, which can lead to complete compromise of the database contents, including sensitive member information, authentication credentials, and financial data managed by the CRM. The attacker can escalate privileges by stealing administrative credentials and potentially take over the entire system. The CVSS v3.1 base score is 9.6, reflecting the high impact on confidentiality and integrity, with network attack vector, low attack complexity, and requiring privileges but no user interaction. The vulnerability scope is changed (S:C), meaning it can affect resources beyond the initially compromised component. Although no known exploits have been reported in the wild, the critical nature and ease of exploitation by authenticated users make this a significant threat. The vendor addressed the issue in ChurchCRM version 6.5.3 by patching the input validation in the Event Attendee Editor to properly neutralize SQL special characters and prevent injection.

For European organizations using ChurchCRM, this vulnerability poses a severe risk to the confidentiality and integrity of sensitive data, including personal member information and financial records. Churches and religious organizations often hold sensitive personal data protected under GDPR, so a breach could lead to significant regulatory penalties and reputational damage. The ability to steal administrative credentials and potentially take over the system could disrupt organizational operations and lead to further lateral movement within connected networks. Financial fraud or unauthorized access to donation records could also occur. Given that the vulnerability requires authenticated access, insider threats or compromised user accounts increase the risk. The impact extends beyond data loss to potential service disruption and loss of trust within communities served by these organizations.

European organizations should immediately upgrade ChurchCRM installations to version 6.5.3 or later, where the vulnerability is patched. Until upgrading, restrict access to the Event Attendee Editor to only highly trusted users and monitor for unusual database queries or access patterns. Implement strong authentication controls, including multi-factor authentication, to reduce the risk of compromised credentials. Regularly audit user privileges to ensure least privilege principles are enforced. Employ web application firewalls (WAFs) with SQL injection detection capabilities to provide an additional layer of defense. Conduct security awareness training for users with access to the CRM to recognize potential phishing or credential theft attempts. Finally, maintain regular backups of CRM data to enable recovery in case of compromise.