CVE-2026-58411 in ChurchCRMinfo

Summary

by MITRE • 07/14/2026

ChurchCRM is an open-source church management system. Prior to version 7.4.0, Cross-Site Scripting (XSS) vulnerabilities were identified due to insufficient output encoding of user-controlled request parameter names and parameter values. The application reflects attacker-controlled input into JavaScript string contexts and HTML attribute contexts without proper sanitization or contextual output encoding. Affected endpoints observed during testing: /FamilyCustomFieldsEditor.php, /PaddleNumList.php and /admin/system/church-info. Potential consequences include session-token theft, account takeover, unauthorized actions on behalf of authenticated users, exposure of sensitive church member information, credential harvesting, phishing, and privilege escalation when administrators are targeted. This issue has been resolved in version 7.4.0.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/14/2026

The ChurchCRM system presents a critical cross-site scripting vulnerability affecting versions prior to 7.4.0 that stems from inadequate output encoding practices within its web application framework. This vulnerability manifests when user-controlled input parameters are reflected back into the application's response without proper sanitization or contextual encoding, creating exploitable JavaScript string and HTML attribute contexts. The flaw specifically impacts three key endpoints including FamilyCustomFieldsEditor.php PaddleNumList.php and the administrative church-info section, where request parameter names and values are directly incorporated into dynamic content generation processes. The root cause aligns with CWE-79 which defines cross-site scripting as a weakness occurring when web applications fail to properly validate or encode output data that originates from user inputs.

The operational impact of this vulnerability extends beyond simple script execution to encompass significant security implications for church member data and administrative systems. Attackers can leverage these XSS flaws to steal session tokens and perform account takeovers on authenticated user sessions, particularly targeting administrators who possess elevated privileges within the system. The reflected nature of the vulnerability allows malicious actors to inject malicious scripts that can harvest credentials from vulnerable browsers or redirect users to phishing sites designed to capture sensitive information. Additionally the exploitation could enable unauthorized actions performed on behalf of legitimate users including modification of church member records, access to confidential data such as financial information or personal details, and potential privilege escalation when administrative accounts are compromised.

Security mitigations for this vulnerability implementation require comprehensive output encoding across all user-controlled parameters and input contexts within the affected endpoints. Organizations should implement proper contextual encoding routines that differentiate between JavaScript string contexts HTML attributes and other output formats to prevent malicious code injection. The remediation in version 7.4.0 demonstrates the effectiveness of applying strict input validation and output encoding mechanisms as recommended by OWASP best practices and aligns with ATT&CK technique T1566 which covers social engineering through phishing attacks that can be facilitated by such XSS vulnerabilities. System administrators should ensure immediate deployment of the patched version and consider implementing additional security controls including content security policies to further reduce attack surface and prevent exploitation attempts against similar vulnerabilities in other components of the church management system infrastructure.

Responsible

GitHub M

Reservation

06/30/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00347

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!