CVE-2025-68401 in CRMChurchCRM
Summary
by MITRE • 12/18/2025
ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser (stored XSS). In affected contexts the script can access web origin data and perform privileged actions as the victim. Where session cookies are not marked HttpOnly, the script can read document.cookie, enabling session theft and account takeover. Version 6.0.0 patches the issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/20/2025
The vulnerability identified as CVE-2025-68401 represents a critical stored cross-site scripting flaw within ChurchCRM, an open-source church management system that serves thousands of religious organizations worldwide. This vulnerability exists in versions prior to 6.0.0 and stems from inadequate input validation and sanitization mechanisms within the application's data handling processes. The flaw allows attackers to inject malicious HTML and JavaScript code through user-supplied content inputs, which are then stored in the application's database and subsequently executed when other users view this content. The technical implementation of this vulnerability demonstrates a classic stored XSS pattern where the malicious payload persists server-side and executes in the victim's browser context without requiring additional user interaction.
The operational impact of this vulnerability extends beyond simple script execution, as the stored JavaScript can access web origin data and perform privileged actions on behalf of authenticated users. This capability enables attackers to leverage the victim's session context to execute commands that would normally be restricted to authorized users within the application's permission model. The vulnerability particularly affects organizations using ChurchCRM for sensitive operations including member management, financial tracking, and administrative functions where privileged access could result in significant data compromise. According to CWE classification, this represents a CWE-79: Improper Neutralization of Input During Web Page Generation, specifically manifesting as a stored XSS vulnerability that allows attackers to execute malicious scripts in the context of the victim's browser session.
The security implications become particularly severe when considering that session cookies are often not marked with the HttpOnly flag in vulnerable configurations, creating an additional attack vector for session hijacking. When attackers can execute JavaScript in the victim's browser context, they can access the document.cookie property to extract session tokens and other sensitive authentication data. This capability directly enables account takeover attacks where attackers can assume the identity of legitimate users and maintain persistent access to the organization's ChurchCRM instance. The vulnerability aligns with ATT&CK technique T1531: Account Access Removal and T1078: Valid Accounts, as attackers can leverage stolen session tokens to maintain access and potentially escalate privileges within the system. Organizations utilizing ChurchCRM without proper security hardening measures face significant risk of unauthorized access to sensitive church member data, financial records, and administrative controls.
The remediation approach for CVE-2025-68401 requires immediate upgrading to version 6.0.0 or later, which implements proper input sanitization and output encoding mechanisms to prevent malicious content from being stored and executed. Organizations should also implement additional security controls including the enforcement of HttpOnly flags on all session cookies, implementing Content Security Policy headers to limit script execution sources, and conducting regular security audits of user-supplied content. The fix addresses the root cause by ensuring that all user-provided HTML and JavaScript content undergoes proper sanitization before storage, preventing the injection of malicious scripts that could later be executed in other users' browsers. Security teams should also consider implementing web application firewalls and monitoring systems to detect potential exploitation attempts and ensure comprehensive protection against similar vulnerabilities in other applications within their infrastructure.