CVE-2025-8167 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the code-projects Church Donation System, specifically affecting the /admin/edit_members.php file. The vulnerability arises from improper sanitization or validation of the 'fname' parameter, which can be manipulated by an attacker to inject malicious scripts. This vulnerability is exploitable remotely without requiring authentication, although it does require some level of privilege (PR:L) and user interaction (UI:P) according to the CVSS vector. The attack vector is network-based (AV:N), and the vulnerability impacts the integrity and limited confidentiality of the system. The disclosed exploit allows attackers to execute arbitrary JavaScript in the context of the victim's browser session, potentially leading to session hijacking, defacement, or redirection to malicious sites. Other parameters in the same or related functionality might also be vulnerable, increasing the attack surface. The vulnerability has a CVSS 4.0 base score of 5.1, categorizing it as medium severity. No official patches have been published yet, and no known exploits are currently observed in the wild, but public disclosure increases the risk of exploitation. Given that the affected system is a donation management platform used by churches, the vulnerability could be leveraged to target administrative users, potentially compromising sensitive donor information or disrupting donation processes.

For European organizations, particularly religious institutions and charities using the Church Donation System, this vulnerability poses a risk to the confidentiality and integrity of donor data and administrative operations. Exploitation could lead to unauthorized script execution in admin sessions, enabling attackers to steal credentials, manipulate donation records, or inject fraudulent content. This could damage organizational reputation, reduce donor trust, and potentially lead to financial losses. Additionally, if attackers use the vulnerability to conduct phishing or malware distribution campaigns via the compromised system, it could have broader security implications. The medium severity rating suggests a moderate risk, but the lack of patches and public exploit disclosure heightens the urgency for mitigation. Organizations with limited cybersecurity resources may be particularly vulnerable to exploitation.

Immediate mitigation steps include implementing strict input validation and output encoding on the 'fname' parameter and any other user-supplied inputs in /admin/edit_members.php to prevent script injection. Employing Content Security Policy (CSP) headers can reduce the impact of XSS by restricting script execution sources. Administrators should restrict access to the admin interface to trusted IP ranges or VPNs to limit exposure. Regular monitoring of logs for suspicious activity related to the affected endpoint is advised. Since no official patch is available, organizations should consider temporary workarounds such as disabling the vulnerable functionality if feasible. Updating to a patched version once released is critical. Additionally, training administrative users to recognize phishing attempts and suspicious behavior can reduce the risk of successful exploitation. Conducting security audits and penetration testing focused on web input validation will help identify and remediate similar vulnerabilities.