CVE-2025-0981

Name of the Vulnerable Software and Affected Versions ChurchCRM versions 5.13.0 and prior

Description A Stored Cross Site Scripting (XSS) vulnerability exists in the Group Editor page, allowing attackers to hijack user sessions. Admin users can inject malicious JavaScript in the description field, capturing the session cookie of authenticated users. The cookie can then be sent to an external server, enabling session hijacking and potentially leading to information disclosure, as exposed session cookies can be used to impersonate users and gain unauthorized access to sensitive information.

Recommendations For ChurchCRM versions 5.13.0 and prior, consider disabling the Group Editor page or restricting access to it until a patch is available. As a temporary workaround, avoid using the description field in the Group Editor page to prevent malicious JavaScript injection. Restrict access to sensitive information and monitor user activity for potential session hijacking attempts. At the moment, there is no information about a newer version that contains a fix for this vulnerability.