EUVD-2026-13429CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L
Lifecycle Timeline
3Description
ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in SystemSettings.php, leading to XSS. This issue has been fixed in version 7.0.2.
Analysis
ChurchCRM versions prior to 7.0.2 contain a stored cross-site scripting (XSS) vulnerability in the system settings module where administrative users can inject unescaped JavaScript payloads into JSON-type system settings fields. Any administrator who subsequently views the system settings page will execute the attacker's malicious script, potentially allowing credential theft, session hijacking, or lateral movement within the church organization's administrative infrastructure. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today