CVE-2025-1598
Published: 24 February 2025
Summary
CVE-2025-1598 is a medium-severity Improper Access Control (CWE-284) vulnerability in Mayurik Best Church Management Software. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates the photo1 argument in /admin/app/asset_crud.php to ensure only safe files are uploaded, directly preventing unrestricted upload of dangerous types.
Restricts file types accepted via the photo1 parameter to safe formats like images, blocking unrestricted uploads.
Enforces logical access controls on the asset_crud.php functionality to address improper access control (CWE-284) and limit exploitation to authorized low-privilege users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in the web application (/admin/app/asset_crud.php) enables exploitation of public-facing applications (T1190) and facilitates deployment of web shells via arbitrary file upload (T1505.003).
NVD Description
A vulnerability was found in SourceCodester Best Church Management Software 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/app/asset_crud.php. The manipulation of the argument photo1 leads to unrestricted upload. The…
more
attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-1598 is a critical vulnerability in SourceCodester Best Church Management Software version 1.0, affecting an unknown functionality within the file /admin/app/asset_crud.php. The flaw enables unrestricted file upload through manipulation of the "photo1" argument and is associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is exploitable remotely by an authenticated attacker possessing low privileges, with low attack complexity and no requirement for user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling attackers to upload arbitrary files that could lead to further compromise depending on server configuration.
Advisories from VulDB indicate the vendor was contacted early regarding disclosure but provided no response, and no patches or official mitigations are referenced. A proof-of-concept exploit has been publicly disclosed, including a detailed write-up on GitHub, increasing the risk of active exploitation.
Details
- CWE(s)