Executive Summary

CVE-2026-39333 is a reflected Cross-Site Scripting (XSS) vulnerability in the ChurchCRM software, specifically in the FindFundRaiser.php endpoint before version 7.1.0.

The vulnerability occurs because user-supplied input parameters DateStart and DateEnd are inserted directly into HTML input field attributes without proper encoding or escaping.

An authenticated attacker can craft a malicious URL that injects JavaScript code by breaking out of the HTML attribute context, for example by injecting event handlers like 'onfocus'.

When another authenticated user visits this malicious URL, the injected JavaScript executes in the context of the application, potentially exposing sensitive data such as session cookies and allowing unauthorized actions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including exposure of sensitive information and unauthorized actions performed on behalf of authenticated users.

• An attacker can steal session cookies, leading to account compromise.
• Malicious scripts can execute in the victim's browser, potentially manipulating data or performing actions with the victim's privileges.
• The attack requires the victim to be authenticated and to visit a crafted malicious URL.
• The vulnerability has a high severity with a CVSS score of 8.7, indicating significant confidentiality and integrity impacts.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the FindFundRaiser.php endpoint reflects user-supplied input from the DateStart and DateEnd parameters into HTML input attributes without proper encoding.

One way to test is to craft a URL with a payload that injects JavaScript event handlers, for example:

• http://localhost/FindFundRaiser.php?DateStart=%22%20autofocus%20onfocus%3Dalert(document.cookie)%20x%3D%22&DateEnd=test

If visiting this URL while authenticated triggers a JavaScript alert or executes arbitrary script, the vulnerability is present.

From a network perspective, monitoring for HTTP requests containing suspicious payloads in the DateStart or DateEnd parameters can help detect exploitation attempts.

Commands to test this manually could include using curl or wget to fetch the URL and inspect the response for unescaped input, for example:

• curl -i 'http://localhost/FindFundRaiser.php?DateStart=%22%20autofocus%20onfocus%3Dalert(document.cookie)%20x%3D%22&DateEnd=test'

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, restrict access to the FindFundRaiser.php endpoint to trusted authenticated users only, and educate users to avoid clicking on suspicious or untrusted links.

Additionally, implement web application firewall (WAF) rules to detect and block requests containing suspicious payloads in the DateStart and DateEnd parameters.

Useful 0 Not Useful 0

Compliance Impact

The reflected Cross-Site Scripting (XSS) vulnerability in ChurchCRM can lead to the exposure of sensitive session data such as cookies and enable unauthorized actions on behalf of authenticated users.

Such exposure and unauthorized access can compromise the confidentiality and integrity of user data, which may result in non-compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.

Therefore, this vulnerability poses a risk to compliance with these common standards and regulations by potentially allowing attackers to access or manipulate protected data.

Useful 0 Not Useful 0