CVE-2025-1596
Published: 23 February 2025
Summary
CVE-2025-1596 is a high-severity Injection (CWE-74) vulnerability in Mayurik Best Church Management Software. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents SQL injection by enforcing validation of the untrusted 'email' input in /fpassword.php.
SI-2 ensures timely remediation of the SQL injection flaw through identification, reporting, and correction processes.
RA-5 enables detection of the SQL injection vulnerability via regular scanning, facilitating proactive mitigation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote SQL injection in public-facing web application (/fpassword.php) enables exploitation of public-facing applications (T1190), abuse of server software components (T1505), and collection from databases (T1213.006).
NVD Description
A vulnerability was found in SourceCodester Best Church Management Software 1.0 and classified as critical. This issue affects some unknown processing of the file /fpassword.php. The manipulation of the argument email leads to sql injection. The attack may be initiated…
more
remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-1596 is a critical SQL injection vulnerability (classified under CWE-74 and CWE-89) in SourceCodester Best Church Management Software version 1.0. The issue resides in the processing of the file /fpassword.php, where manipulation of the "email" argument enables SQL injection.
The vulnerability is remotely exploitable by unauthenticated attackers requiring low complexity and no user interaction, per its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Exploitation can result in low-level impacts to confidentiality, integrity, and availability.
VulDB advisories (ctiid.296591, id.296591, submit.497868) and a GitHub disclosure detail the SQL injection proof-of-concept, which has been made public. The vendor was notified early but provided no response, and no patches or official mitigations are referenced. The software's SourceCodester page offers no further details on remediation.
Details
- CWE(s)