CVE-2025-7930 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Church Donation System, specifically within the /members/add_members.php file. The vulnerability arises from improper sanitization or validation of the 'mobile' parameter, allowing an attacker to inject malicious SQL code remotely without any authentication or user interaction. This flaw enables an attacker to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or even complete compromise of the underlying database. The vulnerability is classified as medium severity with a CVSS 4.0 base score of 6.9, reflecting its network attack vector, low complexity, and no requirement for privileges or user interaction. Although the exploit has been publicly disclosed, there are no confirmed reports of active exploitation in the wild. Other parameters in the same script might also be vulnerable, indicating a broader issue with input validation in the affected component. The lack of available patches or vendor advisories increases the risk for organizations still running this version. Given the critical nature of donation systems that handle sensitive donor information and financial transactions, this vulnerability poses a significant risk if left unmitigated.

For European organizations, especially religious institutions, charities, and non-profits using the Church Donation System 1.0, this vulnerability could lead to severe consequences. Successful exploitation could result in unauthorized access to personally identifiable information (PII) of donors, including contact details and potentially financial data. This exposure could lead to privacy violations under GDPR, resulting in regulatory penalties and reputational damage. Furthermore, attackers could manipulate donation records, causing financial discrepancies or fraud. The integrity of donation data is critical for trust and compliance with financial reporting standards. Additionally, attackers might leverage this vulnerability to pivot within the organization's network, escalating attacks beyond the donation system. The remote and unauthenticated nature of the exploit increases the likelihood of attacks, particularly targeting organizations with internet-facing donation portals. The absence of patches and the public disclosure of the exploit code heighten the urgency for European organizations to address this threat promptly.

European organizations should implement immediate compensating controls while awaiting official patches or updates. Specific recommendations include: 1) Conduct a thorough code review of /members/add_members.php and related scripts to identify and sanitize all user inputs, especially the 'mobile' parameter, using parameterized queries or prepared statements to prevent SQL injection. 2) Deploy Web Application Firewalls (WAFs) configured to detect and block SQL injection patterns targeting the donation system endpoints. 3) Restrict direct internet access to the donation system where feasible, limiting exposure to trusted networks or VPNs. 4) Monitor database logs and web server logs for suspicious query patterns or anomalous activities indicative of injection attempts. 5) Implement strict database user permissions, ensuring the application uses least privilege accounts to limit the impact of a successful injection. 6) Educate IT and security teams about this specific vulnerability and ensure incident response plans include steps for SQL injection detection and containment. 7) Plan and prioritize upgrading to a patched or newer version of the Church Donation System once available, or consider alternative donation platforms with robust security practices. These targeted actions go beyond generic advice by focusing on immediate risk reduction tailored to the known vulnerability and the affected application components.