CVE-2025-7833 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Church Donation System, specifically within the /members/giving.php file. The vulnerability arises from improper handling of the 'Amount' parameter, which allows an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. This flaw enables attackers to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or deletion. The vulnerability has a CVSS 4.0 base score of 6.9, reflecting a medium severity level, with an attack vector of network (remote exploitation), low attack complexity, and no privileges or user interaction needed. The impact on confidentiality, integrity, and availability is limited but present, as indicated by the CVSS vector components (VC:L, VI:L, VA:L). Although no known exploits are currently reported in the wild, the public disclosure of the vulnerability increases the risk of exploitation. The absence of available patches or mitigation guidance from the vendor further exacerbates the threat landscape for users of this system.

For European organizations using the Church Donation System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of donor data and financial transaction records. Exploitation could lead to unauthorized access to sensitive personal and financial information, manipulation of donation amounts, or disruption of donation processing services. Such incidents could result in reputational damage, regulatory penalties under GDPR due to data breaches, and financial losses. Non-profit and religious organizations, which often rely on trust and transparency, may face erosion of donor confidence. Additionally, if the system is integrated with other financial or CRM systems, the impact could cascade, affecting broader organizational operations.

Organizations should immediately conduct an audit to identify deployments of the Church Donation System version 1.0. Given the lack of official patches, mitigation should focus on implementing web application firewalls (WAFs) with specific rules to detect and block SQL injection attempts targeting the 'Amount' parameter in /members/giving.php. Input validation and parameterized queries should be enforced if source code access is available to developers. Network segmentation can limit exposure of the vulnerable system. Monitoring and logging of database queries and web requests should be enhanced to detect suspicious activity. Organizations should also consider migrating to alternative donation management solutions or updated versions once available. Regular backups and incident response plans should be reviewed and updated to prepare for potential exploitation.