CVE-2025-1024

Name of the Vulnerable Software and Affected Versions ChurchCRM version 5.13.0

Description A vulnerability exists in ChurchCRM that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting (XSS) in the EditEventAttendees.php page. This requires Administration privileges and affects the EID parameter. The flaw allows an attacker to steal session cookies, perform actions on behalf of an authenticated user, and gain unauthorized access to the application.

Recommendations For ChurchCRM version 5.13.0, as a temporary workaround, consider disabling access to the EditEventAttendees.php page or restricting the use of the EID parameter until a patch is available. Avoid using the EID parameter in the affected page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.