CVE-2025-1596
Published: 23 February 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-1596 is a critical SQL injection vulnerability (classified under CWE-74 and CWE-89) in SourceCodester Best Church Management Software version 1.0. The issue resides in the processing of the file /fpassword.php, where manipulation of the "email" argument enables SQL injection.
The vulnerability is remotely exploitable by unauthenticated attackers requiring low complexity and no user interaction, per its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Exploitation can result in low-level impacts to confidentiality, integrity, and availability.
VulDB advisories (ctiid.296591, id.296591, submit.497868) and a GitHub disclosure detail the SQL injection proof-of-concept, which has been made public. The vendor was notified early but provided no response, and no patches or official mitigations are referenced. The software's SourceCodester page offers no further details on remediation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated remote SQL injection in public-facing web application (/fpassword.php) enables exploitation of public-facing applications (T1190), abuse of server software components (T1505), and collection from databases (T1213.006).