CVE-2025-67875
📋 TL;DR
ChurchCRM versions before 6.5.3 contain a privilege escalation vulnerability where authenticated users with 'Edit Records' and 'Manage Properties and Classifications' permissions can inject persistent XSS into administrator profiles. When administrators view their profiles, the attacker can hijack their sessions and perform administrative actions. This affects all ChurchCRM deployments using vulnerable versions.
💻 Affected Systems
- ChurchCRM
📦 What is this software?
Churchcrm by Churchcrm
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of administrator accounts, allowing attackers to modify all system data, create/delete users, and potentially execute arbitrary code through subsequent attacks.
Likely Case
Session hijacking leading to unauthorized administrative actions, data manipulation, and privilege escalation within the ChurchCRM system.
If Mitigated
Limited impact with proper network segmentation, strong authentication controls, and monitoring of administrative account activities.
🎯 Exploit Status
Exploitation requires authenticated access with specific permissions and knowledge of administrator usernames.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5.3
Vendor Advisory: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-fcw7-mmfh-7vjm
Restart Required: Yes
Instructions:
1. Backup your ChurchCRM database and files. 2. Download ChurchCRM version 6.5.3 or later from the official repository. 3. Replace existing installation files with new version. 4. Run database update scripts if required. 5. Restart web server services.
🔧 Temporary Workarounds
Restrict User Permissions
allTemporarily remove 'Edit Records' and 'Manage Properties and Classifications' permissions from non-administrative users.
Implement WAF Rules
allConfigure web application firewall to block XSS payloads targeting user profile endpoints.
🧯 If You Can't Patch
- Implement strict access controls and monitor all user profile modification activities.
- Isolate ChurchCRM instance from internet access and restrict internal network access.
🔍 How to Verify
Check if Vulnerable:
Check ChurchCRM version in admin panel or by examining source files. Versions below 6.5.3 are vulnerable.Check Version:
Check /Include/Config.php or admin dashboard for version information.Verify Fix Applied:
Confirm ChurchCRM version is 6.5.3 or higher and test that users with 'Edit Records' permissions cannot modify administrator profiles.📡 Detection & Monitoring
Log Indicators:
- Unusual user profile modifications by non-administrative users
- Multiple failed login attempts followed by successful administrator login from same IP
- Administrative actions performed from non-administrator accounts
Network Indicators:
- HTTP POST requests to user profile endpoints containing script tags or JavaScript payloads
- Unusual traffic patterns to administrator profile pages
SIEM Query:
source="churchcrm_logs" AND (event="profile_update" AND user_role!="admin") OR (event="admin_action" AND source_user!="admin")