CVE-2025-67874 – ChurchCRM versions before 6.5.0 echo plaintext ... (How to Fix)

Q: What is the severity of CVE-2025-67874?

CVE-2025-67874 has a CVSS score of 6.5 (MEDIUM). ChurchCRM versions before 6.5.0 echo plaintext passwords back in HTTP responses, allowing attackers to steal user credentials. This affects all ChurchCRM installations running vulnerable versions. The vulnerability significantly increases risk of account compromise and can amplify other attacks.

📋 TL;DR

ChurchCRM versions before 6.5.0 echo plaintext passwords back in HTTP responses, allowing attackers to steal user credentials. This affects all ChurchCRM installations running vulnerable versions. The vulnerability significantly increases risk of account compromise and can amplify other attacks.

💻 Affected Systems

Products:

ChurchCRM

Versions: All versions prior to 6.5.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all ChurchCRM deployments regardless of configuration.

📦 What is this software?

Churchcrm by Churchcrm

View all CVEs affecting Churchcrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers harvest all user passwords, leading to complete system compromise, data theft, and potential lateral movement to other systems using reused credentials.

🟠

Likely Case

Attackers capture passwords of active users through XSS or other injection attacks, leading to unauthorized access and potential data manipulation.

🟢

If Mitigated

With proper network segmentation and monitoring, impact limited to isolated ChurchCRM system with no credential reuse elsewhere.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires ability to intercept or view HTTP responses, which can be achieved through XSS, MITM, or other injection attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.0

Vendor Advisory: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p98h-5xcj-5c6x

Restart Required: Yes

Instructions:

1. Backup ChurchCRM database and files. 2. Download ChurchCRM 6.5.0 or later from GitHub. 3. Replace existing installation files with new version. 4. Run database update scripts if required. 5. Restart web server.

🔧 Temporary Workarounds

WAF Rule for Password Detection

all

Configure WAF to block responses containing password patterns

🧯 If You Can't Patch

Implement strict network segmentation to isolate ChurchCRM from other systems
Enforce mandatory password rotation for all users and monitor for suspicious login attempts

🔍 How to Verify

Check if Vulnerable:

Test by submitting a password via login form and checking if it appears in subsequent HTTP responses

Check Version:

Check ChurchCRM admin dashboard or view /includes/version.php

Verify Fix Applied:

After upgrade, test that passwords no longer appear in HTTP responses

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts followed by successful logins from unusual locations
HTTP responses containing password-like strings in access logs

Network Indicators:

HTTP responses containing plaintext passwords in traffic captures
Unusual outbound traffic patterns after user logins

SIEM Query:

source="churchcrm_logs" AND (event="login" AND response_size>normal) OR (http_response CONTAINS "password")

📊 Metadata

CVE ID: CVE-2025-67874

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-204

EPSS Score: 0.04% exploit probability (11.2th percentile)

Published: December 16, 2025

Last Updated: December 17, 2025

🔗 References

https://github.com/ChurchCRM/CRM/commit/2d6cf7aed9af1b9b47e125d1a2266f8e2a88f3fd Patch
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p98h-5xcj-5c6x Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67874, you might also want to check these: