CVE-2025-67875

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.5.3

Description ChurchCRM is an open-source church management system. A flaw exists where an authenticated user with specific permissions ("Edit Records" and "Manage Properties and Classifications") can inject a persistent Cross-Site Scripting (XSS) payload into an administrator's profile. This payload executes when an administrator views their profile, potentially allowing an attacker to hijack the administrator’s session and perform administrative actions, leading to a full account takeover. The issue is a result of an Insecure Direct Object Reference (IDOR) allowing unauthorized profile viewing, combined with a Broken Access Control vulnerability permitting modification of user record properties.

Recommendations Versions prior to 6.5.3 should be updated to version 6.5.3 or later.