CVE-2026-24855
📋 TL;DR
ChurchCRM versions before 6.7.2 have a stored XSS vulnerability in the calendar event description field. Low-privilege users can inject malicious scripts that execute when other users view the event, potentially leading to account takeover. All users of affected ChurchCRM instances are at risk.
💻 Affected Systems
- ChurchCRM
📦 What is this software?
Churchcrm by Churchcrm
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access through session hijacking, leading to complete system compromise, data theft, and further attacks on church members.
Likely Case
Attackers steal session cookies or credentials from users viewing malicious events, gaining unauthorized access to church management data.
If Mitigated
Script execution is prevented through proper input validation and output encoding, limiting impact to minor data integrity issues.
🎯 Exploit Status
Requires authenticated low-privilege user access. XSS payloads are simple to craft and execute automatically when events are viewed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.7.2
Vendor Advisory: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-49qp-cfqx-c767
Restart Required: No
Instructions:
1. Backup your ChurchCRM database and files. 2. Download ChurchCRM 6.7.2 or later from the official repository. 3. Replace existing installation files with new version. 4. Run database update scripts if prompted. 5. Verify functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize HTML in event descriptions
Modify ChurchCRM source to filter script tags and JavaScript events from calendar input
Output Encoding
allApply proper HTML encoding when displaying event descriptions
Ensure all calendar event outputs use htmlspecialchars() or equivalent encoding
🧯 If You Can't Patch
- Restrict calendar event creation to trusted users only
- Implement web application firewall rules to block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check if ChurchCRM version is below 6.7.2. Test by creating calendar event with <script>alert('test')</script> in description and viewing it.Check Version:
Check ChurchCRM admin dashboard or view includes/version.php fileVerify Fix Applied:
After upgrade to 6.7.2+, attempt same XSS test. Script should not execute and should be displayed as plain text.📡 Detection & Monitoring
Log Indicators:
- Unusual calendar event creation patterns
- Multiple failed login attempts following event views
- Admin account access from unusual locations
Network Indicators:
- Outbound connections to suspicious domains following calendar access
- Unexpected cookie/session data transmission
SIEM Query:
source="churchcrm" AND (event_description CONTAINS "<script>" OR event_description CONTAINS "javascript:")