The vulnerability exists in ChurchCRM’s SystemSettings.php, where JSON input for system settings is accepted without necessary escaping or sanitization. An administrator can embed a malicious JavaScript payload into the JSON, which will be rendered unfiltered when another administrator views the settings. This leads to stored cross‑site scripting, permitting an attacker with administrative access to execute arbitrary client‑side code in other admins’ browsers, potentially stealing session cookies, logging keystrokes, or defacing the application.

All ChurchCRM installations running a version earlier than 7.0.2 are affected. The vulnerability was identified in the open‑source church management system under the vendor product ChurchCRM:CRM. The issue was resolved in the 7.0.2 release, so any deployment on 7.0.2 or later is not vulnerable.

The CVSS base score is 6.4, indicating a moderate severity. The EPSS probability is below 1%, making widespread exploitation unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an account with administrative privileges; once satisfied, the attacker can inject malicious scripts that will execute in the browsers of other administrators who view the affected settings. While remote exploitation from an unauthenticated user is not possible, an insider or compromised admin account could pose significant risk to the integrity and confidentiality of the system.