CVE-2025-1961
Published: 04 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-1961 is a critical SQL injection vulnerability in SourceCodester Best Church Management Software version 1.1. The flaw affects an unknown functionality in the file /admin/app/web_crud.php, where manipulation of the "encryption" argument triggers the injection. Classified under CWE-74 and CWE-89, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-04T23:15:10.717. Other parameters may also be vulnerable.
The vulnerability enables remote exploitation by low-privileged users (PR:L) with low attack complexity and no user interaction required. Attackers can achieve limited impacts on confidentiality, integrity, and availability through SQL injection, potentially allowing unauthorized database queries, modifications, or disruptions.
Advisories detail the issue on VulDB (ctiid.298561, id.298561, submit.510865), with a proof-of-concept exploit disclosed publicly on GitHub at https://github.com/Yesec/Best-church-management-software/blob/main/web_crud.php_SQLi.md. The vendor site is available at www.sourcecodester.com.
The exploit has been made public and may be actively used, highlighting the need for immediate assessment in affected environments.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (/admin/app/web_crud.php) enables initial access via exploitation of public-facing application (T1190) and facilitates collection from databases (T1213.006) through arbitrary SQL query execution.