CVE-2025-7860 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Church Donation System, specifically within the /members/login_admin.php file. The vulnerability arises from improper handling and sanitization of the 'Username' parameter, allowing an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. Exploiting this flaw can enable an attacker to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or even full compromise of the underlying database. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level, with an attack vector that is network-based, low attack complexity, no privileges or user interaction needed, and limited impact on confidentiality, integrity, and availability. Although no public exploits are currently known to be actively used in the wild, the disclosure of the vulnerability and its details increases the risk of exploitation. The affected product, Church Donation System 1.0, is a specialized software used by religious organizations to manage donations and member administration, making the confidentiality and integrity of financial and personal data critical.

For European organizations, particularly churches and religious institutions using the Church Donation System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive donor and administrative data. Exploitation could lead to unauthorized disclosure of personal information, financial fraud, or manipulation of donation records, undermining trust and potentially causing financial loss. Additionally, successful exploitation could allow attackers to pivot within the network, leading to broader compromise. Given the critical nature of donation systems in maintaining operational and financial stability, disruption or data breaches could have reputational and legal consequences under European data protection regulations such as GDPR. The medium CVSS score reflects limited impact scope but does not diminish the importance of addressing the vulnerability promptly to prevent targeted attacks against religious organizations in Europe.

To mitigate this vulnerability, organizations should immediately apply any available patches or updates from the vendor once released. In the absence of official patches, organizations should implement input validation and parameterized queries or prepared statements to sanitize the 'Username' input in /members/login_admin.php, effectively preventing SQL injection. Web application firewalls (WAFs) can be configured to detect and block SQL injection attempts targeting this parameter. Regular security assessments and code reviews should be conducted to identify and remediate similar injection flaws. Additionally, organizations should monitor logs for suspicious activity related to login attempts and database errors. Segmentation of the donation system from other critical infrastructure and enforcing the principle of least privilege on database accounts can limit the impact of a potential breach. Finally, organizations should prepare incident response plans specific to web application attacks to respond swiftly if exploitation is detected.