Compliance Impact

This vulnerability allows low-privilege users to inject malicious JavaScript into profile fields, which can exfiltrate session cookies of any user viewing the compromised profile, including administrators. This leads to session hijacking and potential unauthorized administrative actions.

Such unauthorized access and potential data exposure could violate common standards and regulations like GDPR and HIPAA, which require protection of user data and prevention of unauthorized access.

Specifically, the exposure of session cookies and the ability to hijack sessions may lead to breaches of confidentiality and integrity of personal data, which are critical compliance requirements under these regulations.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, consider restricting the EditSelf permission to trusted users only, as this permission allows injection of malicious scripts.

Additionally, monitor user profile fields for suspicious input and avoid viewing profiles of untrusted users to reduce risk of session cookie exfiltration.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-39328 is a stored cross-site scripting (XSS) vulnerability in ChurchCRM versions up to 7.0.5, fixed in version 7.1.0. It exists in the person profile editing feature, specifically in the social media profile fields for Facebook, LinkedIn, and X (formerly Twitter). Non-administrative users with the EditSelf permission can inject malicious JavaScript into these fields.

Because each field has a 50-character limit, attackers split their malicious payload across all three fields, chaining their onfocus event handlers to execute sequentially. The vulnerability arises because these fields are stored in the database and rendered on profile pages without proper HTML attribute escaping. Although the sanitizeText() function removes HTML tags, it fails to escape quote characters, allowing attackers to break out of attribute boundaries and inject event handlers that trigger immediate script execution.

When any user, including administrators, views the attacker's profile, the injected script executes and exfiltrates their session cookies to a remote server.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to session hijacking, where an attacker steals the session cookies of any user who views the compromised profile, including administrators.

With stolen session cookies, attackers can potentially escalate privileges and perform unauthorized administrative actions within ChurchCRM.

All users who view the attacker's profile are at risk, making the impact widespread within the affected system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking the social media profile fields (Facebook, LinkedIn, and X) in ChurchCRM user profiles for injected JavaScript payloads, especially those containing event handlers like autofocus or onfocus.

A proof of concept payload includes strings such as `autofocus onfocus=alert(1337) x=` distributed across these fields.

To detect exploitation attempts on your system, you can monitor HTTP requests and responses for unusual JavaScript code in these profile fields or look for outgoing network requests that exfiltrate session cookies.

Specific commands are not provided in the resources, but general approaches include:

• Using web application scanners or manual inspection to review profile fields for suspicious event handler attributes.
• Monitoring web server logs for unusual payload patterns or encoded JavaScript in profile update requests.
• Using network monitoring tools (e.g., tcpdump, Wireshark) to detect outbound requests that may be exfiltrating cookies.

Useful 0 Not Useful 0