CVE-2025-7861 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Church Donation System, specifically within an undisclosed function in the /members/search.php file. The vulnerability arises from improper sanitization or validation of the 'Username' parameter, which allows an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. Exploiting this flaw could enable an attacker to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or even deletion. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level, with an attack vector that is network-based, low attack complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. Although no public exploit is currently known to be actively used in the wild, the disclosure of the vulnerability and its exploitability means that attackers could develop and deploy attacks targeting vulnerable installations. The affected product is niche software used by churches for managing donations, which likely stores sensitive donor information and financial data, making it a valuable target for attackers seeking to compromise personal or financial information or disrupt organizational operations.

For European organizations using the Church Donation System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of donor data and financial records. Successful exploitation could lead to unauthorized disclosure of personal information, financial fraud, or manipulation of donation records, undermining trust and potentially violating data protection regulations such as the GDPR. The availability impact is limited but could still disrupt donation processing and organizational workflows. Given the nature of the software, smaller religious organizations or charities in Europe that rely on this system may face reputational damage and legal consequences if donor data is compromised. The medium severity rating suggests that while the vulnerability is exploitable remotely without authentication, the overall impact is somewhat limited by the scope of the affected software and the extent of data exposure. However, the public disclosure increases the urgency for European organizations to address this issue promptly to prevent exploitation.

European organizations should immediately assess whether they are running version 1.0 of the code-projects Church Donation System and prioritize upgrading to a patched version once available. In the absence of an official patch, organizations should implement input validation and parameterized queries or prepared statements in the /members/search.php file to sanitize the 'Username' parameter and prevent SQL injection. Web application firewalls (WAFs) can be configured to detect and block SQL injection attempts targeting this endpoint. Regular security audits and code reviews should be conducted to identify and remediate similar vulnerabilities. Additionally, organizations should monitor logs for suspicious activity related to the 'Username' parameter and restrict network access to the application where feasible. Backup procedures should be verified to ensure data integrity in case of an incident. Finally, staff awareness and incident response plans should be updated to handle potential exploitation scenarios.