Which versions of Churchcrm are affected by CVE-2025-0981?

Organizations using A vulnerability exists in ChurchCRM 5.13.0 and prior that face notable risk from CVE-2025-0981, a improper authentication vulnerability rated CVSS 8.4.

Is there a public PoC exploit available for CVE-2025-0981?

Yes, a public proof-of-concept exploit is available for CVE-2025-0981. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-0981?

Within 7 days: Identify all affected systems running ChurchCRM 5.13.0 and and apply vendor patches promptly. Audit authentication configurations and rotate any potentially compromised credentials.

Churchcrm CVE-2025-0981

Q: What is the CVSS score of CVE-2025-0981?

CVE-2025-0981 has a CVSS 4.0 base score of 8.4 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:L/U:Amber. EPSS exploitation probability: 0.1%.

HIGH

Improper Authentication (CWE-287)

2025-02-18 b7efe717-a805-47cf-8e9a-921fca0ce0ce

Information Disclosure Authentication Bypass XSS Churchcrm

8.4

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.4 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:L/U:Amber

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:L/U:Amber

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:27 vuln.today

PoC Detected

Feb 21, 2025 - 15:23 vuln.today

Public exploit code

CVE Published

Feb 18, 2025 - 10:15 nvd

HIGH 8.4

DescriptionCVE.org

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript in the description field, which captures the session cookie of authenticated users. The cookie can then be sent to an external server, enabling session hijacking. It can also lead to information disclosure, as exposed session cookies can be used to impersonate users and gain unauthorised access to sensitive information.

AnalysisAI

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Improper Authentication (CWE-287), which allows attackers to bypass authentication mechanisms to gain unauthorized access. A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript in the description field, which captures the session cookie of authenticated users. The cookie can then be sent to an external server, enabling session hijacking. It can also lead to information disclosure, as exposed session cookies can be used to impersonate users and gain unauthorised access to sensitive information. Affected products include: Churchcrm.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement multi-factor authentication, enforce strong password policies, use proven authentication frameworks.

CVE-2025-0981 vulnerability details – vuln.today

Back