EUVD-2026-19823CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
Lifecycle Timeline
3Tags
Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, and X profile fields. Due to a 50-character field limit, the payload is distributed across all three fields and chains their onfocus event handlers to execute in sequence. When any user, including administrators, views the attacker's profile, their session cookies are exfiltrated to a remote server. This vulnerability is fixed in 7.1.0.
Analysis
ChurchCRM church management system versions before 7.1.0 allow authenticated users with EditSelf permission to exfiltrate administrator session cookies through stored XSS in social media profile fields. Attackers chain JavaScript payloads across Facebook, LinkedIn, and X fields using onfocus event handlers to bypass 50-character limits, automatically executing when any user (including administrators) views the malicious profile. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all ChurchCRM instances and document current versions; disable social media profile field editing for non-administrator accounts if possible through configuration. Within 7 days: Upgrade ChurchCRM to version 7.1.0 or later once available, or implement input validation/sanitization on social media profile fields as a temporary control. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today