This vulnerability is a stored cross‑site scripting flaw in ChurchCRM's person profile editing function. Attackers can embed malicious JavaScript into their Facebook, LinkedIn, and X profile fields. Because each field is limited to 50 characters, the attacker distributes the payload across all three fields and chains onfocus event handlers so that the script runs in sequence when the profile is displayed. When any user, including administrators, views the attacker’s profile, the attacker’s session cookies are sent to a remote server, enabling credential theft and potential full account compromise. The weakness is an unsafe handling of user-supplied input, consistent with CWE‑79.

The affected product is ChurchCRM, a free and open‑source church management system. All versions prior to 7.1.0 are vulnerable. The flaw can be triggered by any non‑administrative user who has the EditSelf permission, allowing them to inject scripts into their social profile fields.

The CVSS score of 8.9 indicates a high‑severity risk. The EPSS score of less than 1% suggests a low probability of exploitation at this time, and the vulnerability is not listed in CISA's KEV catalog. Exploitation requires a victim to view the malicious profile, so it relies on user interaction and can be carried out through an internal or external user who can edit their own profile. Because session cookies are delivered to an attacker‑controlled server, the impact includes potential session hijacking, data theft, and further privilege escalation within ChurchCRM.