CVE-2026-40593
Stored XSS in ChurchCRM UserEditor.php Allows Admin Browser Exploitation
Publication date: 2026-04-18
Last updated on: 2026-04-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 7.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in ChurchCRM versions prior to 7.2.0 in the User Editor component (UserEditor.php). The system renders stored usernames directly into an HTML input value attribute without using htmlspecialchars(), which is a function that escapes special HTML characters. Because of this, an administrator can save a username containing HTML attribute-breaking characters and event handlers. When another administrator views that user's editor page, the malicious code executes in their browser, resulting in a stored Cross-Site Scripting (XSS) attack.
How can this vulnerability impact me? :
The vulnerability allows an attacker with administrator privileges to inject malicious scripts into usernames. These scripts execute in the browsers of other administrators who view the affected user editor page. This can lead to unauthorized actions performed on behalf of administrators, theft of sensitive information such as session tokens, or other malicious activities within the administrative interface.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade ChurchCRM to version 7.2.0 or later, where the issue has been fixed.
This update ensures that usernames are properly escaped using htmlspecialchars(), preventing stored XSS attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in ChurchCRM allows stored cross-site scripting (XSS) attacks through the User Editor, which can lead to unauthorized script execution in the browsers of administrators viewing affected user profiles.
Such vulnerabilities can impact compliance with standards like GDPR and HIPAA because they may lead to unauthorized access or exposure of personal or sensitive data, violating data protection and privacy requirements.
Specifically, GDPR requires organizations to implement appropriate technical measures to protect personal data, and HIPAA mandates safeguards to ensure the confidentiality, integrity, and availability of protected health information. An XSS vulnerability could undermine these safeguards.