CVE-2025-1961 Overview
CVE-2025-1961 is a SQL injection vulnerability in SourceCodester Best Church Management Software version 1.1, developed by Mayurik. The flaw resides in the /admin/app/web_crud.php script, where the encryption parameter is passed into a database query without proper sanitization [CWE-89]. Attackers with low-level authenticated access can manipulate the parameter to inject arbitrary SQL statements remotely. Public exploit details have been disclosed, and additional parameters in the same script may be susceptible to similar manipulation.
Critical Impact
Authenticated remote attackers can execute arbitrary SQL queries against the backend database, leading to unauthorized read or modification of church member records, credentials, and other sensitive data.
Affected Products
- Mayurik Best Church Management Software 1.1
- SourceCodester distribution of Best Church Management Software
- Deployments using /admin/app/web_crud.php from version 1.1
Discovery Timeline
- 2025-03-04 - CVE-2025-1961 published to NVD
- 2025-04-29 - Last updated in NVD database
Technical Details for CVE-2025-1961
Vulnerability Analysis
The vulnerability exists in the administrative CRUD handler /admin/app/web_crud.php shipped with Best Church Management Software 1.1. The encryption request parameter is incorporated into a SQL statement without parameterization or input validation. Because the application concatenates the attacker-controlled value directly into the query, the database engine evaluates injected SQL syntax as part of the original statement.
The vulnerability is categorized under both improper neutralization of special elements in output used by a downstream component [CWE-74] and SQL injection [CWE-89]. According to the public disclosure, other parameters processed by the same script may share the same defect, expanding the attack surface beyond the encryption field.
Successful exploitation allows attackers to read arbitrary tables, modify records, and potentially escalate access depending on database privileges granted to the web application user. Public proof-of-concept material is referenced in the GitHub SQL Injection Guide and VulDB #298561.
Root Cause
The root cause is direct concatenation of unsanitized HTTP request parameters into SQL statements within web_crud.php. The script does not use prepared statements, parameter binding, or type-safe input validation before passing the encryption value to the database driver.
Attack Vector
The attack is delivered over the network against the administrative endpoint. The attacker submits a crafted HTTP request containing malicious SQL syntax in the encryption parameter. Authentication at a low privilege level is required, but no user interaction is needed. The vulnerability does not require local access or chained exploits to trigger query manipulation.
No verified exploit code examples are available. Refer to the VulDB CTI ID #298561 entry for technical disclosure details.
Detection Methods for CVE-2025-1961
Indicators of Compromise
- HTTP requests to /admin/app/web_crud.php containing SQL metacharacters such as ', --, UNION, SELECT, or SLEEP( within the encryption parameter
- Database error messages, stack traces, or unexpected 500 responses returned from web_crud.php
- Unusual outbound database query volume or long-running queries originating from the church management application user
- Creation, modification, or deletion of administrative accounts not tied to legitimate operator activity
Detection Strategies
- Inspect web server access logs for anomalous query strings or POST bodies targeting web_crud.php, particularly the encryption parameter
- Deploy a web application firewall ruleset that flags SQL injection patterns against the /admin/app/ path
- Enable database query logging and alert on queries containing tautologies like OR 1=1 or stacked statements originating from the application account
Monitoring Recommendations
- Correlate authentication events for administrative accounts with subsequent requests to web_crud.php
- Monitor for data exfiltration patterns such as large SELECT result sets or INTO OUTFILE usage
- Alert on schema enumeration queries against information_schema tables from the application database user
How to Mitigate CVE-2025-1961
Immediate Actions Required
- Restrict access to /admin/app/web_crud.php to trusted administrative IP ranges using network or web server access controls
- Audit administrative account activity for signs of prior exploitation and rotate any credentials stored in the affected database
- Apply a virtual patch through a web application firewall to block SQL metacharacters in the encryption parameter and other inputs to web_crud.php
Patch Information
No vendor advisory or official patch has been published by Mayurik or SourceCodester at the time of NVD publication. Organizations running Best Church Management Software 1.1 should consider taking the application offline or isolating it until a fixed release is available. Monitor the SourceCodester Security Resources page for updates.
Workarounds
- Replace dynamic SQL in web_crud.php with parameterized queries or prepared statements if source modification is feasible
- Enforce strict server-side input validation on the encryption parameter, restricting it to expected character classes and length
- Apply database least-privilege controls so the application account cannot read sensitive tables or execute administrative SQL
- Disable verbose database error reporting in the web application to reduce information leakage during probing
# Example ModSecurity rule to block SQLi patterns against the vulnerable endpoint
SecRule REQUEST_URI "@contains /admin/app/web_crud.php" \
"phase:2,chain,deny,status:403,id:1002025,\
msg:'CVE-2025-1961 SQLi attempt against web_crud.php'"
SecRule ARGS:encryption "@rx (?i)(union(\s|/\*.*\*/)+select|or\s+1=1|sleep\s*\(|--\s|;\s*drop\s+table)" \
"t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
