CVE-2025-7861 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Church Donation System, specifically within an unspecified function in the /members/search.php file. The vulnerability arises from improper sanitization or validation of the 'Username' parameter, which allows an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. Exploiting this flaw could enable an attacker to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or even complete compromise of the underlying database. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level, with an attack vector that is network-based and requires no privileges or user interaction. The impact on confidentiality, integrity, and availability is limited but present, as the vulnerability allows partial compromise of data. Although no public exploits are currently known in the wild, the disclosure of the exploit code increases the risk of exploitation. The absence of patches or mitigation links suggests that the vendor has not yet released an official fix, making affected systems vulnerable until remediated.

For European organizations using the Church Donation System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of donor and organizational data. Exploitation could lead to unauthorized access to sensitive personal information, including donor identities and donation histories, potentially violating GDPR regulations and resulting in legal and reputational damage. Additionally, attackers could alter donation records, impacting financial reporting and trustworthiness. Given the remote, unauthenticated nature of the exploit, attackers could target these systems en masse, increasing the likelihood of widespread data breaches. The impact on availability is limited but possible if attackers execute destructive SQL commands. Organizations relying on this software for managing donations in churches or religious institutions across Europe should consider this vulnerability a priority for remediation to avoid compliance issues and operational disruptions.

Immediate mitigation steps include implementing input validation and parameterized queries or prepared statements in the /members/search.php file to prevent SQL injection. Organizations should audit their current deployment of the Church Donation System 1.0 to identify affected instances. In the absence of an official patch, applying Web Application Firewalls (WAFs) with rules targeting SQL injection patterns on the 'Username' parameter can provide temporary protection. Restricting database user permissions to the minimum necessary can limit the impact of a successful injection. Monitoring logs for unusual database query patterns or repeated failed attempts targeting the search functionality can help detect exploitation attempts early. Organizations should also plan to upgrade to a patched version once available or consider migrating to alternative donation management solutions with better security postures. Regular security assessments and penetration testing focusing on input validation should be conducted to prevent similar vulnerabilities.