Church Donation System
CVE-2025-8167
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in code-projects Church Donation System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/edit_members.php. The manipulation of the argument fname leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
AnalysisAI
Cross-site scripting (XSS) in Church Donation System 1.0 allows authenticated remote attackers to inject arbitrary JavaScript via the fname parameter in /admin/edit_members.php, requiring user interaction to execute. The vulnerability has a publicly disclosed exploit and EPSS score of 0.05% (16th percentile), indicating low real-world exploitation probability despite public availability of proof-of-concept code.
Technical ContextAI
The vulnerability is a reflected or stored cross-site scripting flaw (CWE-79) in a PHP-based church management application. The fname parameter in the administrative edit_members.php endpoint fails to properly sanitize or encode user input before rendering it in HTTP responses. Attackers with valid administrative credentials can craft malicious payloads containing JavaScript code that executes in the context of other administrators' browsers when they view member records. The CVSS vector indicates the attack requires network access (AV:N), low complexity (AC:L), and is contingent on legitimate admin privileges (PR:L) plus user interaction (UI:P), making it a low-impact XSS with limited scope.
RemediationAI
No vendor-released patch is identified in available data. Primary remediation is to upgrade to a patched version if available from the vendor (check code-projects.org or GitHub repository for updates); if no patch exists, implement input validation and output encoding on the fname parameter and all other user inputs in /admin/edit_members.php by applying HTML entity encoding or a templating engine with auto-escaping. As a compensating control, restrict /admin/* endpoints to trusted IP addresses or a VPN to reduce the attack surface for authenticated exploitation; additionally, disable or restrict the ability for admin users to perform actions based on URL parameters containing untrusted data, enforcing POST-based state changes instead. Enable Content Security Policy (CSP) headers to prevent inline JavaScript execution. Side effect: CSP may break legitimate admin interface JavaScript if not carefully configured; IP restrictions may impact remote administration workflows.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today