CVE-2025-8166 is a critical SQL Injection vulnerability identified in version 1.0 of the code-projects Church Donation System, specifically within the /admin/index.php file's HTTP POST request handler. The vulnerability arises from improper sanitization or validation of the 'Username' parameter, which can be manipulated by an attacker to inject malicious SQL commands. This flaw allows remote attackers to execute arbitrary SQL queries on the backend database without requiring authentication or user interaction. Exploiting this vulnerability could lead to unauthorized data access, data modification, or even complete compromise of the underlying database. The CVSS 4.0 score is 6.9 (medium severity), reflecting the ease of exploitation (network attack vector, no privileges or user interaction needed) but limited impact on confidentiality, integrity, and availability (low to medium impact). Although no public exploits are currently known in the wild, the vulnerability has been publicly disclosed, increasing the risk of exploitation. The affected product is niche software used primarily by religious organizations to manage donations, and the vulnerability exists in a core administrative component, potentially exposing sensitive donor and financial data if exploited.

For European organizations, particularly churches and religious institutions using the Church Donation System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of donor information and financial records. Exploitation could lead to unauthorized disclosure of personally identifiable information (PII), financial fraud, or manipulation of donation records. This could result in reputational damage, legal liabilities under GDPR due to data breaches, and financial losses. Given the administrative nature of the affected component, attackers might also gain further access to system controls or pivot to other internal systems. The medium CVSS score suggests that while the vulnerability is exploitable remotely without authentication, the overall impact is somewhat limited by the scope of the affected software and the level of access it provides. However, the sensitivity of financial and personal data handled by donation systems elevates the potential consequences for impacted organizations.

Organizations using the Church Donation System 1.0 should immediately assess their exposure and implement the following mitigations: 1) Apply any available patches or updates from the vendor; if none exist, consider disabling or restricting access to the vulnerable /admin/index.php endpoint via network controls such as firewalls or VPNs limiting access to trusted administrators only. 2) Implement Web Application Firewall (WAF) rules specifically targeting SQL injection patterns on the 'Username' parameter to block malicious payloads. 3) Conduct thorough input validation and sanitization on all user-supplied data, especially in administrative interfaces. 4) Monitor logs for unusual SQL errors or suspicious POST requests targeting the admin interface. 5) Consider migrating to a more secure or updated donation management platform if vendor support is lacking. 6) Educate administrative users on the risks and enforce strong authentication and access controls to reduce attack surface. These steps go beyond generic advice by focusing on compensating controls and monitoring in the absence of immediate patches.