CVE-2025-67876

Name of the Vulnerable Software and Affected Versions ChurchCRM versions 6.4.0 and prior

Description ChurchCRM is an open-source church management system affected by a stored cross-site scripting (XSS) issue. A user with the “Manage Groups” permission can inject persistent JavaScript into group role names. This malicious code is stored in the database and executed when any user views pages displaying that role, such as GroupView.php or PersonView.php. This can lead to full session hijacking and account takeover. The vulnerability impacts the display of group roles, potentially affecting any page that renders this information.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.