CVE-2025-7859 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Church Donation System, specifically within the /members/update_password_admin.php file. The vulnerability arises from improper handling of the 'new_password' parameter, which allows an attacker to inject malicious SQL code remotely without any authentication or user interaction. This flaw enables an attacker to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or deletion. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level, with an attack vector classified as network-based and no privileges or user interaction required. The impact on confidentiality, integrity, and availability is rated low individually but combined could lead to significant compromise depending on the database contents and system configuration. Although no known exploits have been reported in the wild, the public disclosure of the vulnerability increases the risk of exploitation. The lack of available patches or mitigation guidance from the vendor further elevates the threat to organizations using this software. Given that the Church Donation System is likely used by religious organizations to manage donations and member information, the exposure of sensitive personal and financial data is a critical concern. The vulnerability's remote exploitability and absence of authentication requirements make it a high-risk entry point for attackers aiming to compromise backend databases or pivot into internal networks.

For European organizations, particularly religious institutions and charities using the Church Donation System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of donor and member data. Exploitation could lead to unauthorized disclosure of personally identifiable information (PII), financial transaction details, and administrative credentials. Such breaches could result in reputational damage, legal liabilities under GDPR, and financial losses. Additionally, attackers could alter donation records or disrupt system availability, impacting organizational operations and trust. The medium CVSS score reflects moderate technical impact but the real-world consequences could be severe due to the sensitivity of the data handled. Since the vulnerability requires no authentication and can be exploited remotely, attackers from anywhere could target these systems, increasing the threat landscape for European entities. The absence of patches means organizations must rely on alternative mitigations to protect their systems until an official fix is released.

European organizations should immediately conduct a thorough audit to identify any deployments of code-projects Church Donation System version 1.0. If found, they should consider isolating these systems from external network access to prevent remote exploitation. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'new_password' parameter can provide a critical layer of defense. Organizations should also review and harden database permissions to minimize the impact of a potential injection attack, ensuring the application uses least privilege principles. Regular monitoring of logs for suspicious SQL queries or unusual access patterns is essential for early detection. If feasible, migrating to alternative donation management solutions or upgrading to a patched version (once available) is recommended. Additionally, organizations should educate administrators about the risks and ensure backups of critical data are maintained securely to enable recovery in case of compromise.