CVE-2025-68399
📋 TL;DR
ChurchCRM versions before 6.5.4 contain a stored cross-site scripting (XSS) vulnerability in the GroupEditor.php page. Authenticated users with group management permissions can inject malicious JavaScript that executes when other users view group roles. This affects all ChurchCRM deployments using vulnerable versions.
💻 Affected Systems
- ChurchCRM
📦 What is this software?
Churchcrm by Churchcrm
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious user could steal session cookies, perform actions as other users, deface the application, or redirect users to malicious sites.
Likely Case
Privilege escalation within the application, session hijacking of other users, or data theft from users who view the malicious group roles.
If Mitigated
Limited impact due to required authentication and specific permissions, but still allows privilege abuse within the application.
🎯 Exploit Status
Exploitation requires authenticated access with group management permissions. The vulnerability is in the GroupEditor.php page when creating group roles.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5.4
Vendor Advisory: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-gfxf-w4cg-c54j
Restart Required: Yes
Instructions:
1. Backup your ChurchCRM database and files. 2. Download version 6.5.4 from the official repository. 3. Replace existing files with the new version. 4. Restart your web server. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize group role names before storage
Modify GroupEditor.php to add HTML entity encoding for user inputs
Permission Restriction
allTemporarily restrict 'Manage Groups' permissions to only essential administrators
Update user permissions in ChurchCRM admin interface
🧯 If You Can't Patch
- Restrict 'Manage Groups' permissions to only trusted administrators
- Implement a web application firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check if your ChurchCRM version is below 6.5.4 by viewing the version in the application footer or admin panelCheck Version:
Check the version number displayed in the ChurchCRM interface footer or admin dashboardVerify Fix Applied:
After upgrading to 6.5.4, attempt to inject JavaScript in group role creation and verify it's properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual group creation/modification activity
- JavaScript or script tags in group role names in database logs
Network Indicators:
- POST requests to GroupEditor.php with script tags in parameters
SIEM Query:
source="churchcrm_logs" AND (event="group_creation" OR event="group_modification") AND (message="*<script>*" OR message="*javascript:*")