CVE-2025-67876
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-17

Last updated on: 2025-12-18

Assigner: GitHub, Inc.

Description
ChurchCRM is an open-source church management system. A stored cross-site scripting (XSS) vulnerability exists in ChurchCRM versions 6.4.0 and prior that allows a low-privilege user with the “Manage Groups” permission to inject persistent JavaScript into group role names. The payload is saved in the database and executed whenever any user (including administrators) views a page that displays that role, such as GroupView.php or PersonView.php. This allows full session hijacking and account takeover. As of time of publication, no known patched versions are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67876
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
churchcrm churchcrm to 6.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows full administrator session hijacking and account takeover, leading to exposure of all sensitive personal data stored in ChurchCRM. This exposure of sensitive personal data could result in non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal data against unauthorized access and breaches. [1]

Detection Guidance

This vulnerability can be detected by inspecting the group role names stored in the ChurchCRM database, specifically in the list_lst table, for any suspicious JavaScript payloads such as script tags or external script references. Since the vulnerability involves stored XSS in group role names, you can query the database to find role names containing script tags or suspicious HTML. For example, using SQL commands to search for script tags in role names: SELECT * FROM list_lst WHERE lst_OptionName LIKE '%<script%'; Additionally, monitoring HTTP traffic for requests to pages like GroupView.php or PersonView.php that include unexpected script execution or unusual network requests to external domains (such as attacker-hosted scripts) can help detect exploitation attempts. Network monitoring tools or browser developer tools can be used to observe such behavior. Since no patched versions are available, manual inspection and monitoring are critical. [1]

Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in ChurchCRM versions 6.4.0 and earlier. A low-privilege user with the 'Manage Groups' permission can inject persistent JavaScript code into group role names. This malicious code is saved in the database and runs whenever any user, including administrators, views a page displaying that role, such as GroupView.php or PersonView.php. This can lead to session hijacking and account takeover.

Impact Analysis

The vulnerability can allow attackers to hijack user sessions and take over accounts, including those of administrators. This can lead to unauthorized access, data theft, manipulation of information, and potentially full control over the ChurchCRM system.

Mitigation Strategies

Since no patched versions are available, immediate mitigation steps include restricting the 'Manage Groups' permission to only fully trusted users, avoiding viewing pages that display group role names (such as GroupView.php or PersonView.php) when possible, and monitoring for suspicious activity that may indicate session hijacking or account takeover attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67876. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart