Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocus with no user interaction required, an attacker can steal session cookies and fully take over any victim account, including administrator accounts, by tricking them into submitting a crafted form. This vulnerability is fixed in 7.1.0.
Published: 2026-04-07
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Session hijacking and account takeover
Action: Immediate patch
AI Analysis

Impact

ChurchCRM’s GeoPage.php has a reflected cross‑site scripting flaw that allows an authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. The injected code automatically executes via autofocus without user interaction, enabling the attacker to steal session cookies and assume control of the victim’s account, including administrative privileges.

Affected Systems

The vulnerable product is ChurchCRM:CRM. All installations running any version earlier than 7.1.0 are susceptible; versions 7.1.0 and newer contain the fix.

Risk and Exploitability

The CVSS base score of 8.7 indicates high severity, while the EPSS score of less than 1% suggests a low historical exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Two conditions are required for exploitation: the attacker must be authenticated and submit a crafted form; once done, the payload auto‑executes. The likely attack vector is authenticated web requests directed at GeoPage.php. Prompt remediation is recommended to prevent account takeover.

Generated by OpenCVE AI on April 10, 2026 at 23:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official ChurchCRM update to version 7.1.0 or newer
  • Verify that GeoPage.php no longer accepts malicious input after the update
  • If an immediate update is not feasible, restrict access to GeoPage.php so that only administrators can submit forms to eliminate the injection opportunity

Generated by OpenCVE AI on April 10, 2026 at 23:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Wed, 08 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocus with no user interaction required, an attacker can steal session cookies and fully take over any victim account, including administrator accounts, by tricking them into submitting a crafted form. This vulnerability is fixed in 7.1.0.
Title ChurchCRM has Reflected Cross-Site Scripting (XSS) in GeoPage.php
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T14:41:01.071Z

Reserved: 2026-04-06T20:28:38.393Z

Link: CVE-2026-39332

cve-icon Vulnrichment

Updated: 2026-04-08T14:40:56.523Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T18:16:44.717

Modified: 2026-04-10T20:58:07.087

Link: CVE-2026-39332

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:26:34Z

Weaknesses