Executive Summary

CVE-2025-67874 is a vulnerability in ChurchCRM versions prior to 6.5.0 where the application echoes back plaintext passwords submitted by users in HTTP responses. This happens during actions like registration, password changes, resets, or login errors, where passwords appear in JSON payloads, HTML templates, or validation messages. This exposure allows attackers to obtain passwords through browser history, page source, client logs, caches, error pages, or by exploiting other vulnerabilities like cross-site scripting (XSS). The vulnerability increases the risk of credential compromise and can lead to account takeover and lateral movement within the system. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to significant credential compromise by exposing plaintext passwords in HTTP responses. Attackers with privileged access can harvest passwords not only of themselves but also of other users, especially when combined with other vulnerabilities such as XSS or insecure direct object references (IDOR). This can result in full account takeover, lateral movement within the system, contamination of logs complicating forensic investigations, and increased risk due to password reuse. The exposure also violates best practices for secret management and increases the attack surface. [1]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability poses compliance issues related to secret management and the improper handling of sensitive information such as passwords. Exposing plaintext passwords violates standard security practices and can lead to breaches of data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive data. This improper handling increases the risk of unauthorized access and data compromise, potentially resulting in non-compliance with these regulations. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting HTTP responses from the ChurchCRM application, especially during workflows such as registration, password changes/resets, or login errors. Look for plaintext passwords reflected in JSON payloads, templated HTML, or server-side validation messages. A proof of concept includes visiting the endpoint /SystemSettings.php and checking if plaintext passwords appear in the source code or response bodies. Network monitoring tools like curl or wget can be used to fetch these responses for inspection. For example, you can run: curl -i -X POST https://yourchurchcrm.example.com/SystemSettings.php -d 'username=youruser&password=yourpassword' and then inspect the response for echoed plaintext passwords. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading ChurchCRM to version 6.5.0 or later, where the issue of plaintext password exposure has been fixed by removing password defaults from HTML output and preventing passwords from being echoed in responses. If upgrading is not immediately possible, restrict access to the affected endpoints (e.g., /SystemSettings.php) to trusted users only, monitor logs for suspicious activity, and avoid workflows that expose passwords. Additionally, consider applying any available patches or code changes that eliminate plaintext password exposure as described in the fix, such as those that skip displaying password fields in HTML output. [1, 2]

Useful 0 Not Useful 0