CVE-2025-68275
📋 TL;DR
ChurchCRM versions before 6.5.3 have a stored cross-site scripting vulnerability on three people management pages. This allows attackers to inject malicious scripts that execute when users view those pages. All ChurchCRM instances running vulnerable versions are affected.
💻 Affected Systems
- ChurchCRM
📦 What is this software?
Churchcrm by Churchcrm
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially compromising the entire ChurchCRM instance and user data.
Likely Case
Attackers inject malicious JavaScript that steals session cookies or performs unauthorized actions when administrators or users view the vulnerable pages.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized before execution, preventing exploitation.
🎯 Exploit Status
Exploitation requires ability to inject malicious payload into the vulnerable fields, which typically requires some level of access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5.3
Vendor Advisory: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-3q97-q4hv-gxwr
Restart Required: Yes
Instructions:
1. Backup your ChurchCRM database and files. 2. Download ChurchCRM version 6.5.3 or later. 3. Replace existing installation with new version. 4. Restart web server. 5. Verify functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize user input on the affected pages
Content Security Policy
allImplement strict CSP headers to prevent execution of injected scripts
🧯 If You Can't Patch
- Restrict access to vulnerable pages to trusted users only
- Implement web application firewall rules to block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check ChurchCRM version in admin panel or by examining source files. If version is below 6.5.3, system is vulnerable.Check Version:
Check ChurchCRM admin dashboard or examine version.php file in installation directoryVerify Fix Applied:
After upgrading to 6.5.3, test the three vulnerable pages with safe XSS test payloads to ensure they're properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript payloads in user input fields
- Multiple failed XSS attempts in web server logs
Network Indicators:
- Suspicious script tags in HTTP POST requests to people management endpoints
SIEM Query:
source="web_server_logs" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=") AND ("ViewActivePeople" OR "ViewInactivePeople" OR "ViewAllPeople")