CVE-2025-1961
Published: 04 March 2025
Summary
CVE-2025-1961 is a medium-severity Injection (CWE-74) vulnerability in Mayurik Best Church Management Software. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2025-1961 by requiring timely identification, reporting, and correction of the specific SQL injection flaw in /admin/app/web_crud.php.
Prevents SQL injection exploitation by validating and sanitizing the vulnerable 'encryption' argument and other inputs to the web_crud.php functionality.
Enables proactive detection of SQL injection vulnerabilities like CVE-2025-1961 through regular automated vulnerability scanning of the application.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web application (/admin/app/web_crud.php) enables initial access via exploitation of public-facing application (T1190) and facilitates collection from databases (T1213.006) through arbitrary SQL query execution.
NVD Description
A vulnerability has been found in SourceCodester Best Church Management Software 1.1 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/app/web_crud.php. The manipulation of the argument encryption leads to sql injection. The attack…
more
can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
Deeper analysisAI
CVE-2025-1961 is a critical SQL injection vulnerability in SourceCodester Best Church Management Software version 1.1. The flaw affects an unknown functionality in the file /admin/app/web_crud.php, where manipulation of the "encryption" argument triggers the injection. Classified under CWE-74 and CWE-89, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-04T23:15:10.717. Other parameters may also be vulnerable.
The vulnerability enables remote exploitation by low-privileged users (PR:L) with low attack complexity and no user interaction required. Attackers can achieve limited impacts on confidentiality, integrity, and availability through SQL injection, potentially allowing unauthorized database queries, modifications, or disruptions.
Advisories detail the issue on VulDB (ctiid.298561, id.298561, submit.510865), with a proof-of-concept exploit disclosed publicly on GitHub at https://github.com/Yesec/Best-church-management-software/blob/main/web_crud.php_SQLi.md. The vendor site is available at www.sourcecodester.com.
The exploit has been made public and may be actively used, highlighting the need for immediate assessment in affected environments.
Details
- CWE(s)