Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
ChurchCRM is an open-source church management system. Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in ChurchCRM within the Person Property Management subsystem. This issue persists in versions patched for CVE-2023-38766 and allows an authenticated user to inject arbitrary JavaScript code via dynamically assigned person properties. The malicious payload is persistently stored and executed when other users view the affected person profile or access the printable view, potentially leading to session hijacking or full account compromise. This vulnerability is fixed in 7.0.0.
AnalysisAI
Stored cross-site scripting in ChurchCRM versions prior to 7.0.0 allows authenticated users to inject malicious JavaScript through the Person Property Management subsystem, executing when other users view affected profiles. This vulnerability persists despite previous CVE-2023-38766 patches and enables session hijacking or account compromise through persistent payload execution. No public exploit identified at time of analysis, though CVSS score of 8.7 reflects high impact with cross-site scripting scope allowing privilege escalation beyond the attacker's session context.
Technical ContextAI
This is a persistent XSS vulnerability (CWE-79) affecting the ChurchCRM open-source church management platform (cpe:2.3:a:churchcrm:crm). The flaw resides in the Person Property Management subsystem, which allows dynamic assignment of custom properties to person records. Insufficient input validation and output encoding on user-supplied property values enables injection of arbitrary JavaScript that is stored in the database and rendered without sanitization when profiles are accessed. The vulnerability demonstrates a regression or incomplete fix from CVE-2023-38766, indicating the previous patch did not adequately address all XSS attack vectors within the property management functionality. The cross-site scripting scope (S:C in CVSS vector) indicates the injected code executes in victims' browser contexts with different privileges than the attacker.
RemediationAI
Upgrade to ChurchCRM version 7.0.0 or later, which contains comprehensive fixes for the Person Property Management XSS vulnerability via pull request #8016 (https://github.com/ChurchCRM/CRM/pull/8016). Organizations unable to immediately upgrade should implement defense-in-depth controls including restricting person property modification permissions to highly trusted administrators only, deploying Content Security Policy headers to mitigate JavaScript execution, and conducting audit reviews of existing person properties for suspicious content. Review access logs for accounts that recently modified person properties and consider rotating session tokens for users who may have viewed affected profiles. Complete vendor advisory and upgrade guidance available at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8r36-fvxj-26qv.
The package manager in Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to execute arbitrary ASP c
The CRM Plugin before 4.2.4 for Redmine allows XSS via crafted vCard data. Rated medium severity (CVSS 6.1), this vulner
ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-
Remote code execution in ChurchCRM before 7.4.0 lets an authenticated administrator run arbitrary PHP on the server by i
Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to read arbitrary files via an absolute path trav
ChurchCRM church management system versions before 7.1.0 allow authenticated users with EditSelf permission to exfiltrat
SQL injection in ChurchCRM versions prior to 7.1.0 allows authenticated users with low privileges to execute arbitrary S
Insecure Direct Object Reference (IDOR) in ChurchCRM API allows authenticated low-privilege users to manipulate arbitrar
Stored Cross-Site Scripting in ChurchCRM admin panel enables session hijacking and administrative account takeover throu
Insecure Direct Object Reference in ChurchCRM before 7.4.0 lets an authenticated non-admin user with EditSelf access rea
Server-Side Request Forgery in ChurchCRM versions prior to 6.5.3 allows authenticated administrators to trigger outbound
Reflected Cross-Site Scripting in ChurchCRM before 7.4.0 lets remote attackers inject JavaScript through unsanitized req
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19774