CVE-2025-67876
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in ChurchCRM allows low-privilege users with 'Manage Groups' permission to inject persistent JavaScript into group role names. This malicious code executes whenever any user views pages displaying those roles, potentially leading to session hijacking and account takeover. All ChurchCRM instances running versions 6.4.0 or earlier are affected.
💻 Affected Systems
- ChurchCRM
📦 What is this software?
Churchcrm by Churchcrm
⚠️ Risk & Real-World Impact
Worst Case
Full administrative account takeover leading to complete system compromise, data exfiltration, and further privilege escalation within the ChurchCRM environment.
Likely Case
Session hijacking of regular users and administrators, allowing attackers to perform unauthorized actions, access sensitive member data, and potentially pivot to other systems.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, restricting the attack to the specific user's session without privilege escalation.
🎯 Exploit Status
Exploitation requires authenticated access with 'Manage Groups' permission. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None available
Vendor Advisory: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j9gv-26c7-3qrh
Restart Required: No
Instructions:
No official patch available. Monitor ChurchCRM GitHub repository for security updates and apply immediately when released.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement server-side input validation for group role names and ensure proper output encoding when displaying role data.
Manual code modification required - no single command
Temporary Permission Restriction
allTemporarily remove 'Manage Groups' permission from all non-essential users until patch is available.
UPDATE userconfig_usr SET usr_permissions = usr_permissions & ~(1 << permission_index) WHERE usr_permissions & (1 << permission_index);
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules to block malicious payloads.
- Restrict access to ChurchCRM to trusted networks only and implement strict user permission auditing.
🔍 How to Verify
Check if Vulnerable:
Check ChurchCRM version in system settings or via database query: SELECT value FROM settings WHERE name = 'sSoftwareVersion'Check Version:
SELECT value FROM settings WHERE name = 'sSoftwareVersion';Verify Fix Applied:
Test if JavaScript payloads can be saved in group role names and execute when viewed. Verify proper input validation and output encoding.📡 Detection & Monitoring
Log Indicators:
- Unusual group role name modifications
- JavaScript patterns in database logs for group_role table
Network Indicators:
- Suspicious outbound connections from ChurchCRM server following role view actions
SIEM Query:
source="churchcrm" AND (event="group_role_update" AND data CONTAINS "<script>")