Login Sign Up

CVE-2025-7831

7.3 HIGH
SQL Injection

📋 TL;DR

A critical SQL injection vulnerability in Church Donation System 1.0 allows remote attackers to execute arbitrary SQL commands via the trcode parameter in /members/Tithes.php. This affects all users running the vulnerable version of this donation management software, potentially leading to data theft, modification, or system compromise.

💻 Affected Systems

Products:
  • Church Donation System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web interface component accessible via /members/Tithes.php

📦 What is this software?

Church Donation System by Carmelo

View all CVEs affecting Church Donation System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including exfiltration of sensitive donor information, financial records, and administrative credentials, potentially leading to full system takeover.

🟠

Likely Case

Unauthorized access to donation records, donor personal information, and potential manipulation of financial data.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or limited data exposure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available on GitHub, making this easily exploitable by attackers with basic SQL injection knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement parameterized queries or proper input validation for the trcode parameter

Modify /members/Tithes.php to use prepared statements with parameter binding

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting the trcode parameter

Configure WAF to block requests containing SQL keywords in trcode parameter

🧯 If You Can't Patch

  • Isolate the system behind a reverse proxy with strict input validation
  • Implement network segmentation to limit database access from the web server

🔍 How to Verify

Check if Vulnerable:

Test the /members/Tithes.php endpoint with SQL injection payloads in the trcode parameter

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and return appropriate error messages

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in application logs
  • Multiple failed login attempts following SQL injection patterns
  • Unexpected database queries from web server IP

Network Indicators:

  • HTTP requests to /members/Tithes.php with SQL keywords in parameters
  • Unusual outbound database connections from web server

SIEM Query:

source="web_logs" AND uri="/members/Tithes.php" AND (param="trcode" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|--|#|;)")

📊 Metadata

CVE ID: CVE-2025-7831
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.03% exploit probability (8.9th percentile)
Published: July 19, 2025
Last Updated: July 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7831, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)