Description
ChurchCRM is an open-source church management system. Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in ChurchCRM within the Person Property Management subsystem. This issue persists in versions patched for CVE-2023-38766 and allows an authenticated user to inject arbitrary JavaScript code via dynamically assigned person properties. The malicious payload is persistently stored and executed when other users view the affected person profile or access the printable view, potentially leading to session hijacking or full account compromise. This vulnerability is fixed in 7.0.0.
Published: 2026-04-07
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) with potential account compromise
Action: Immediate Patch
AI Analysis

Impact

ChurchCRM, an open‑source church management system, contains a stored cross‑site scripting vulnerability in its Person Property Management subsystem. An authenticated user can inject arbitrary JavaScript into a dynamically assigned person property. Because the payload is stored in the database, it is executed whenever another user views the affected person’s profile or accesses the printable view, which can enable session hijacking or full account compromise.

Affected Systems

All installations of ChurchCRM running versions prior to 7.0.0 are affected, including those that applied the patch for CVE‑2023‑38766. The flaw resides in the PrintView.php component that renders person properties. Users with editing privileges on person records—typically church staff or administrators—can use the vulnerability, while unauthenticated users cannot inject code.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, yet the EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation. Knock‑on risk remains because only authenticated users with access to person properties can disclose payloads, but given that this privilege is common among internal users, the threat surface is relatively high for organizations that do not restrict such access.

Generated by OpenCVE AI on April 9, 2026 at 21:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official patch by upgrading to ChurchCRM version 7.0.0 or later.
  • Verify that the upgrade successfully removed the vulnerable code path; test by attempting to inject payload into a person property and confirming it does not execute.
  • Restrict editing permissions on person properties to the minimum required users to reduce attack potential.
  • Regularly monitor the ChurchCRM community advisories and security bulletins for future updates.

Generated by OpenCVE AI on April 9, 2026 at 21:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in ChurchCRM within the Person Property Management subsystem. This issue persists in versions patched for CVE-2023-38766 and allows an authenticated user to inject arbitrary JavaScript code via dynamically assigned person properties. The malicious payload is persistently stored and executed when other users view the affected person profile or access the printable view, potentially leading to session hijacking or full account compromise. This vulnerability is fixed in 7.0.0.
Title ChurchCRM has Stored Cross-Site Scripting (XSS) in Person Properties via PrintView.php
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T15:46:32.060Z

Reserved: 2026-04-03T20:09:02.827Z

Link: CVE-2026-35576

cve-icon Vulnrichment

Updated: 2026-04-09T15:46:03.190Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T18:16:42.273

Modified: 2026-04-09T18:46:54.157

Link: CVE-2026-35576

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:41:24Z

Weaknesses