CVE-2025-1024
📋 TL;DR
A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 5.13.0 allows authenticated administrators to inject malicious JavaScript via the EID parameter in EditEventAttendees.php. This enables attackers to steal session cookies, impersonate users, and perform unauthorized actions within the application. Only users with administrative privileges are directly affected, but successful exploitation could lead to broader system compromise.
💻 Affected Systems
- ChurchCRM
📦 What is this software?
Churchcrm by Churchcrm
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin access could steal session cookies, gain full administrative control over the ChurchCRM instance, access sensitive member data, and potentially pivot to other systems.
Likely Case
An attacker with admin credentials could steal other users' sessions, modify event attendance records, and perform unauthorized administrative actions.
If Mitigated
With proper input validation and output encoding, the vulnerability would be prevented, limiting impact to the specific admin user's session.
🎯 Exploit Status
Exploitation requires administrative access to the ChurchCRM instance. The vulnerability is a classic reflected XSS that can be exploited by crafting malicious URLs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check GitHub issue for latest patch information
Vendor Advisory: https://github.com/ChurchCRM/CRM/issues/7250
Restart Required: No
Instructions:
1. Check the GitHub issue for available patches. 2. Apply the security patch provided by ChurchCRM developers. 3. Verify the fix by testing the EID parameter with XSS payloads.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to sanitize the EID parameter, allowing only expected characters.
Modify EditEventAttendees.php to validate EID parameter using regex: /^[0-9]+$/
Output Encoding
allApply proper HTML encoding to the EID parameter before outputting it in the response.
Use htmlspecialchars() or equivalent function when echoing EID parameter in PHP
🧯 If You Can't Patch
- Restrict administrative access to trusted users only and implement strict session management
- Deploy a web application firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Test the EditEventAttendees.php page with XSS payloads in the EID parameter (e.g., <script>alert('XSS')</script>) while authenticated as admin.Check Version:
Check ChurchCRM version in admin interface or via application configuration filesVerify Fix Applied:
After patching, test the same XSS payloads to ensure they are properly sanitized and do not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual EID parameter values containing script tags or JavaScript in web server logs
- Multiple failed authentication attempts followed by successful admin login
Network Indicators:
- HTTP requests to EditEventAttendees.php with suspicious EID parameters
- Outbound connections to external domains following admin session access
SIEM Query:
source="web_server_logs" AND uri="*EditEventAttendees.php*" AND (param="*<script>*" OR param="*javascript:*")