CVE-2025-68400 identifies a critical SQL Injection vulnerability in ChurchCRM, an open-source church management system, affecting all versions prior to 6.5.3. The vulnerability resides in the legacy endpoint /Reports/ConfirmReportEmail.php, which, although removed from the user interface, remains accessible directly via URL, representing a case of dead but reachable code. The flaw allows any authenticated user, regardless of assigned permissions, to inject malicious SQL commands through the familyId parameter. This injection can lead to unauthorized data access, data manipulation, or even full database compromise. The vulnerability requires no user interaction and no elevated privileges, making it trivially exploitable once authentication is achieved. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H) reflects network attack vector, low complexity, no privileges or user interaction needed, and high impact on confidentiality, integrity, and availability. Although no public exploits are reported yet, the presence of an accessible vulnerable endpoint and the ease of exploitation pose a significant risk. The issue was addressed in ChurchCRM version 6.5.3 by removing or securing the vulnerable endpoint. Organizations still running older versions remain exposed to potential attacks that could lead to data breaches, unauthorized data modification, or denial of service.

For European organizations using ChurchCRM, this vulnerability poses a severe risk to sensitive data managed within church management systems, including personal information of congregants and operational data. Exploitation could lead to unauthorized disclosure of confidential information, data corruption, or disruption of church administrative functions. Given that any authenticated user can exploit the flaw without elevated permissions, insider threats or compromised user accounts could be leveraged to launch attacks. The impact extends to reputational damage, regulatory non-compliance (e.g., GDPR violations due to data breaches), and operational downtime. Since ChurchCRM is used by many religious organizations across Europe, especially in countries with large Christian populations and active church communities, the threat could affect a wide range of entities from small parishes to large dioceses. The critical severity and ease of exploitation increase the urgency for mitigation to prevent potential widespread abuse.

1. Immediate upgrade of ChurchCRM installations to version 6.5.3 or later, which patches the vulnerability by removing or securing the legacy endpoint. 2. If upgrading is not immediately possible, restrict access to the /Reports/ConfirmReportEmail.php endpoint at the web server or application firewall level to prevent direct URL access. 3. Implement strict authentication and authorization controls to limit user access and monitor for unusual authenticated activity, especially from accounts with minimal permissions. 4. Conduct regular security audits and code reviews to identify and remove dead but reachable code that may harbor vulnerabilities. 5. Enable detailed logging and monitoring of database queries and application access to detect potential exploitation attempts. 6. Educate users and administrators about the risks of legacy code and the importance of timely patching. 7. Consider deploying Web Application Firewalls (WAFs) with SQL Injection detection rules tailored to ChurchCRM traffic patterns. 8. Review and enforce least privilege principles for all user accounts to minimize potential damage from compromised credentials.