Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText() as an output sanitizer for HTML attribute context. The function only strips HTML tags, it does not escape quote characters allowing an attacker to break out of the href attribute and inject arbitrary JavaScript event handlers. Any authenticated user with the EditRecords role can store the payload in a person's Facebook field. The XSS fires against any user who views that person's profile page, including administrators, enabling session hijacking and full account takeover. This vulnerability is fixed in 7.1.0.
Published: 2026-04-07
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting leading to account takeover
Action: Immediate Patch
AI Analysis

Impact

A stored cross‑site scripting flaw in ChurchCRM’s PersonView.php allows authenticated users with EditRecords privileges to inject malicious JavaScript into a person’s Facebook field. The flaw arises because sanitizeText only removes tags but fails to escape quotation marks, enabling a break‑out from an href attribute. When another user visits that profile, the injected script runs in their browser, permitting session hijacking and complete account takeover. This weakness involves improper input validation and unsafe output handling.

Affected Systems

ChurchCRM version 7.0.x and earlier, before the 7.1.0 release, are affected. The vulnerability is tied to the PersonView.php component in the core CRM application. All installations that have not applied the 7.1.0 patch or that continue to use the default Facebook field storage are vulnerable, regardless of deployment size or database configuration.

Risk and Exploitability

The CVSS v3 score of 7.6 indicates high severity. Because exploitation requires legitimate user authentication and a role that allows record edits, the attack surface is limited to users who can edit church member data. EPSS is below 1%, suggesting current exploitation attempts are rare, and the vulnerability is not listed in the CISA KEV catalog. The high impact combined with the ability to hijack admin sessions makes the flaw a priority for remediation. An attacker would need to compromise an EditRecords account to insert the payload, after which arbitrary code could run in anyone’s browser viewing the injected profile.

Generated by OpenCVE AI on April 10, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to ChurchCRM 7.1.0 or newer
  • Restrict EditRecords privileges to trusted users or disable the Facebook field until the patch is applied
  • Verify that stored data in the Facebook field is properly sanitized or removed
  • Monitor for anomalous JavaScript injection patterns and review user activity logs

Generated by OpenCVE AI on April 10, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText() as an output sanitizer for HTML attribute context. The function only strips HTML tags, it does not escape quote characters allowing an attacker to break out of the href attribute and inject arbitrary JavaScript event handlers. Any authenticated user with the EditRecords role can store the payload in a person's Facebook field. The XSS fires against any user who views that person's profile page, including administrators, enabling session hijacking and full account takeover. This vulnerability is fixed in 7.1.0.
Title ChurchCRM has Stored XSS in PersonView.php via Facebook Field Attribute Injection
Weaknesses CWE-116
CWE-79
CWE-87
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T16:19:01.737Z

Reserved: 2026-04-03T02:15:39.281Z

Link: CVE-2026-35534

cve-icon Vulnrichment

Updated: 2026-04-09T16:14:51.355Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T16:16:29.213

Modified: 2026-04-10T21:22:50.750

Link: CVE-2026-35534

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:26:45Z

Weaknesses