CVE-2025-7860 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Church Donation System, specifically within the /members/login_admin.php file. The vulnerability arises from improper handling and sanitization of the 'Username' parameter, allowing an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. Exploiting this flaw can enable attackers to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or even complete compromise of the database. The CVSS 4.0 score is 6.9, indicating a medium severity level, reflecting the ease of remote exploitation without privileges but with limited impact on confidentiality, integrity, and availability. Although no public exploits are currently known in the wild, the vulnerability has been publicly disclosed, increasing the risk of exploitation by threat actors. The absence of available patches or vendor advisories further exacerbates the risk for organizations using this software. Given the nature of the application—a donation management system used by churches and possibly other non-profits—the database likely contains sensitive donor information, financial records, and administrative credentials, making the impact of a successful attack significant.

For European organizations, particularly religious institutions and non-profits utilizing the Church Donation System 1.0, this vulnerability poses a substantial risk. Successful exploitation could lead to unauthorized disclosure of donor personal and financial information, undermining privacy and potentially violating GDPR requirements. Data integrity could be compromised, affecting donation records and financial reporting, which may disrupt organizational operations and trust. Additionally, attackers could leverage the vulnerability to escalate privileges or pivot within the network, potentially impacting broader IT infrastructure. The reputational damage from a breach involving sensitive donor data could be severe, affecting fundraising efforts and stakeholder confidence. Given the remote and unauthenticated nature of the exploit, organizations face a heightened risk, especially if the system is internet-facing or accessible from less secure networks.

Immediate mitigation should focus on restricting access to the /members/login_admin.php endpoint by implementing network-level controls such as IP whitelisting or VPN access to limit exposure. Organizations should conduct thorough input validation and sanitization on the 'Username' parameter to prevent SQL injection, employing parameterized queries or prepared statements in the application code. Since no official patches are available, applying a Web Application Firewall (WAF) with custom rules to detect and block SQL injection attempts targeting this endpoint is recommended. Regularly monitoring logs for suspicious activity related to login attempts can help detect exploitation attempts early. Organizations should also plan to upgrade or replace the vulnerable software with a secure version once available or consider alternative donation management solutions with a strong security posture. Finally, conducting security awareness training for administrators and implementing strict access controls can reduce the risk of exploitation.