CVE-2025-7928 in Church Donation Systeminfo

Summary

by MITRE • 07/21/2025

A vulnerability was found in code-projects Church Donation System 1.0 and classified as critical. This issue affects some unknown processing of the file /members/edit_user.php. The manipulation of the argument firstname leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/30/2025

The vulnerability identified as CVE-2025-7928 represents a critical sql injection flaw within the code-projects Church Donation System version 1.0. This security weakness resides in the /members/edit_user.php file where the firstname parameter is processed without adequate input validation or sanitization. The vulnerability classification as critical indicates the potential for severe impact on system integrity and data confidentiality, making it a high-priority concern for organizations utilizing this software. The attack vector is remote, meaning malicious actors can exploit this weakness without requiring physical access to the target system, significantly expanding the potential attack surface.

The technical exploitation of this vulnerability occurs through manipulation of the firstname argument in the edit_user.php file, which allows attackers to inject malicious sql code into the database query execution process. This type of sql injection vulnerability falls under the common weakness enumeration CWE-89, which specifically addresses improper neutralization of special elements used in sql commands. The flaw enables attackers to bypass authentication mechanisms, extract sensitive data from the database, modify or delete records, and potentially gain unauthorized access to the underlying database system. Given that the exploit has been publicly disclosed, the window for defensive action has been significantly reduced, increasing the risk of active exploitation.

The operational impact of this vulnerability extends beyond simple data theft, as it can lead to complete system compromise and unauthorized administrative access. Organizations running this version of the Church Donation System face potential exposure of sensitive donor information, financial records, and personal data of church members. The remote exploit capability means that attackers can target systems from anywhere on the internet, making traditional network-based security measures insufficient for protection. The vulnerability's potential to affect other parameters suggests that the codebase may contain additional sql injection points, indicating a broader architectural security issue that requires comprehensive auditing.

Mitigation strategies for CVE-2025-7928 should prioritize immediate patching of the affected software to the latest version that addresses this specific vulnerability. Organizations should implement proper input validation and parameterized queries to prevent sql injection attacks, following established security practices such as those recommended in the OWASP Top Ten security framework. Network segmentation and firewall rules should be configured to limit access to the affected application, while database access controls should be strictly enforced to minimize potential damage from successful exploitation. Additionally, organizations should conduct thorough security audits of the entire codebase to identify and remediate similar vulnerabilities, as indicated by the possibility that other parameters may be affected. The ATT&CK framework's T1190 technique for exploitation of remote services should be considered when developing incident response procedures, as this vulnerability represents a clear example of remote service exploitation that could be leveraged for broader network compromise.

Responsible

VulDB

Disclosure

07/21/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00498

KEV

no

Activities

low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!