Cyber Resilience

CVE-2025-1598

MediumPublic PoC

Published: 24 February 2025

Published
24 February 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0008 24.0th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1598 is a medium-severity Improper Access Control (CWE-284) vulnerability in Mayurik Best Church Management Software. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-1598 is a critical vulnerability in SourceCodester Best Church Management Software version 1.0, affecting an unknown functionality within the file /admin/app/asset_crud.php. The flaw enables unrestricted file upload through manipulation of the "photo1" argument and is associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability is exploitable remotely by an authenticated attacker possessing low privileges, with low attack complexity and no requirement for user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling attackers to upload arbitrary files that could lead to further compromise depending on server configuration.

Advisories from VulDB indicate the vendor was contacted early regarding disclosure but provided no response, and no patches or official mitigations are referenced. A proof-of-concept exploit has been publicly disclosed, including a detailed write-up on GitHub, increasing the risk of active exploitation.

EU & UK References

Vulnerability details

A vulnerability was found in SourceCodester Best Church Management Software 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/app/asset_crud.php. The manipulation of the argument photo1 leads to unrestricted upload. The…

more

attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload in the web application (/admin/app/asset_crud.php) enables exploitation of public-facing applications (T1190) and facilitates deployment of web shells via arbitrary file upload (T1505.003).

CVEs Like This One

CVE-2025-1599Same product: Mayurik Best Church Management Software
CVE-2025-1961Same product: Mayurik Best Church Management Software
CVE-2025-1200Same product: Mayurik Best Church Management Software
CVE-2025-1596Same product: Mayurik Best Church Management Software
CVE-2025-1593Same vendor: Mayurik
CVE-2024-13144Shared CWE-284, CWE-434
CVE-2025-1871Same vendor: Mayurik
CVE-2025-8255Shared CWE-284, CWE-434
CVE-2025-2219Shared CWE-284, CWE-434
CVE-2025-7413Shared CWE-284, CWE-434

Affected Assets

mayurik
best church management software
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates the photo1 argument in /admin/app/asset_crud.php to ensure only safe files are uploaded, directly preventing unrestricted upload of dangerous types.

prevent

Restricts file types accepted via the photo1 parameter to safe formats like images, blocking unrestricted uploads.

prevent

Enforces logical access controls on the asset_crud.php functionality to address improper access control (CWE-284) and limit exploitation to authorized low-privilege users.

References