CVE-2025-7930 in Church Donation Systeminfo

Summary

by MITRE • 07/21/2025

A vulnerability was found in code-projects Church Donation System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /members/add_members.php. The manipulation of the argument mobile leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/30/2025

The vulnerability identified as CVE-2025-7930 represents a critical sql injection flaw within the code-projects Church Donation System version 1.0. This vulnerability specifically affects the mobile parameter handling within the /members/add_members.php file, creating a significant security risk for organizations utilizing this donation management system. The flaw allows attackers to manipulate database operations through carefully crafted input, potentially compromising the entire system's data integrity and confidentiality. The vulnerability's classification as critical indicates the potential for severe impact including unauthorized data access, data manipulation, and possible system compromise that could affect church donation records and member information.

The technical implementation of this vulnerability stems from inadequate input validation and sanitization within the mobile parameter processing logic. When user-supplied mobile number data is directly incorporated into sql query constructions without proper escaping or parameterization, attackers can inject malicious sql code through the input field. This represents a classic sql injection vulnerability categorized under CWE-89, which specifically addresses improper neutralization of special elements used in sql commands. The attack vector is remote, meaning that malicious actors can exploit this vulnerability without requiring physical access to the system, making it particularly dangerous for web-based applications. The fact that the exploit has been publicly disclosed increases the risk profile significantly as threat actors can readily leverage existing attack code.

The operational impact of this vulnerability extends beyond simple data theft to encompass potential system disruption and unauthorized administrative access. Successful exploitation could allow attackers to extract sensitive donor information, modify membership records, or even escalate privileges within the system. Given that this is a church donation management system, the compromised data would likely include personal financial information, contact details, and donation histories, creating substantial privacy and regulatory compliance risks. Organizations may face legal consequences under data protection regulations such as gdpr or ccpa if member data is compromised, while also potentially suffering reputational damage from such security breaches. The vulnerability affects not just the mobile parameter but suggests that other input fields within the same functionality may also be susceptible to similar attacks, indicating a broader architectural weakness in input handling.

Mitigation strategies should prioritize immediate patching of the affected system to address the sql injection vulnerability in the mobile parameter processing. Organizations should implement proper input validation and parameterized queries throughout the application to prevent similar issues in other components. The implementation of web application firewalls and input sanitization measures can provide additional protective layers. Security monitoring should be enhanced to detect unusual database access patterns that might indicate exploitation attempts. Regular security assessments and penetration testing should be conducted to identify and remediate other potential sql injection vulnerabilities within the system. Additionally, the organization should consider implementing proper access controls and database privilege management to limit the potential damage from any successful exploitation attempts. The vulnerability demonstrates the importance of following secure coding practices and adhering to established security frameworks such as those outlined in the owasp top ten and mitre att&ck framework, particularly focusing on the sql injection attack techniques and the prevention methods recommended for such threats.

Responsible

VulDB

Disclosure

07/21/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00498

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!