CVE-2025-1599
Published: 24 February 2025
Summary
CVE-2025-1599 is a medium-severity Relative Path Traversal (CWE-23) vulnerability in Mayurik Best Church Management Software. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents path traversal exploitation by validating the old_cat_img input parameter in /admin/app/profile_crud.php to reject traversal sequences like '../filedir'.
Mandates timely remediation of the path traversal vulnerability in profile_crud.php through patching, code fixes, or workarounds despite vendor non-response.
Enforces logical access controls to block unauthorized file access or deletion attempts enabled by the path traversal manipulation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability in public-facing web application (/admin/app/profile_crud.php) enables remote exploitation (T1190) and arbitrary file deletion (T1070.004) for indicator removal.
NVD Description
A vulnerability was found in SourceCodester Best Church Management Software 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /admin/app/profile_crud.php. The manipulation of the argument old_cat_img leads to path traversal: '../filedir'.…
more
The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-1599 is a path traversal vulnerability in SourceCodester Best Church Management Software version 1.0. The issue affects an unknown functionality within the file /admin/app/profile_crud.php, where manipulation of the old_cat_img argument enables traversal sequences such as '../filedir'. Classified under CWEs-22, CWE-23, and CWE-24, it has a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L), rated as problematic.
The vulnerability can be exploited remotely by authenticated users with low privileges (PR:L), requiring no user interaction and low attack complexity. Successful exploitation allows limited integrity and availability impacts, such as unauthorized file deletion, without compromising confidentiality.
Advisories from VulDB and a public GitHub repository detail the exploit, which has been disclosed and may be actively used. The vendor was contacted early but provided no response, and no patches or mitigations are mentioned in available references.
The exploit code is publicly available on GitHub, targeting file deletion in the application.
Details
- CWE(s)