CVE-2025-68401 – ChurchCRM versions before 6.0.0 have a stored c... (How to Fix)

Q: What is the severity of CVE-2025-68401?

CVE-2025-68401 has a CVSS score of 4.8 (MEDIUM). ChurchCRM versions before 6.0.0 have a stored cross-site scripting (XSS) vulnerability where user-supplied HTML/JavaScript isn't properly sanitized. Attackers can inject malicious scripts that execute in other users' browsers, potentially stealing session cookies and performing unauthorized actions. All users of affected ChurchCRM instances are at risk.

📋 TL;DR

ChurchCRM versions before 6.0.0 have a stored cross-site scripting (XSS) vulnerability where user-supplied HTML/JavaScript isn't properly sanitized. Attackers can inject malicious scripts that execute in other users' browsers, potentially stealing session cookies and performing unauthorized actions. All users of affected ChurchCRM instances are at risk.

💻 Affected Systems

Products:

ChurchCRM

Versions: All versions prior to 6.0.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All ChurchCRM installations using affected versions are vulnerable regardless of configuration.

📦 What is this software?

Churchcrm by Churchcrm

View all CVEs affecting Churchcrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover via session cookie theft, unauthorized administrative actions, data exfiltration, and potential lateral movement within the church management system.

🟠

Likely Case

Session hijacking leading to unauthorized access to user accounts, data manipulation, and privilege escalation within the ChurchCRM application.

🟢

If Mitigated

Limited impact with proper HttpOnly cookies and content security policies, though some application functionality could still be disrupted.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (viewing malicious content) but the XSS payload execution is straightforward once injected.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.0

Vendor Advisory: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-phfw-p278-qq7v

Restart Required: Yes

Instructions:

1. Backup your ChurchCRM database and files. 2. Download ChurchCRM version 6.0.0 or later from the official repository. 3. Replace existing installation files with the new version. 4. Run any database migration scripts if required. 5. Restart your web server.

🔧 Temporary Workarounds

Enable HttpOnly Cookies

all

Configure session cookies with HttpOnly flag to prevent JavaScript access to session tokens

Configure in web server settings or application configuration to set HttpOnly flag on all session cookies

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources

Add 'Content-Security-Policy' header with appropriate directives to web server configuration

🧯 If You Can't Patch

Implement strict input validation and output encoding for all user-supplied content
Disable or restrict user-generated content features until patching is possible

🔍 How to Verify

Check if Vulnerable:

Check ChurchCRM version in admin panel or by examining source files for version indicators

Check Version:

Check admin dashboard or examine /vendor/version.php file

Verify Fix Applied:

Confirm ChurchCRM version is 6.0.0 or later and test XSS payloads in user input fields to ensure they are properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual HTML/JavaScript patterns in user input fields
Multiple failed login attempts from new locations
Unexpected administrative actions

Network Indicators:

Suspicious outbound connections from ChurchCRM server
Unusual traffic patterns to user content endpoints

SIEM Query:

source="churchcrm" AND (event="user_input" AND message="*<script>*" OR event="admin_action" AND user="*" AND action="unusual")

📊 Metadata

CVE ID: CVE-2025-68401

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (12.5th percentile)

Published: December 17, 2025

Last Updated: December 18, 2025

🔗 References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-phfw-p278-qq7v Exploit,Vendor Advisory
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-phfw-p278-qq7v Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68401, you might also want to check these: