ChurchCRM versions earlier than 7.1.1 contain a stored cross‑site scripting flaw that arises when unescaped data-* attributes are entered in the group remove control or the family editor state or country fields. The injected payload is persisted in the database and rendered every time the affected page is viewed in a browser, allowing an attacker to run arbitrary JavaScript in that context. This capability can be used for defacement, credential theft or other malicious actions inside the application, representing a classic HTML injection weakness identified as CWE-79.

The vulnerability affects installations of ChurchCRM older than version 7.1.1, specifically the open‑source church management system. The flaw is present in the core product and is not limited to a specific deployment environment. Operators of any such installations should verify their version and ensure that the upgrade to 7.1.1 or later has been applied to remove the risk.

The CVSS score of 6.1 indicates a moderate severity level. The EPSS score of less than 1% suggests that exploitation of this flaw is currently unlikely to be widespread, and it is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker must first gain administrator‑level write access to the group or family edit interfaces to inject malicious data. Once the payload is stored, it will be executed in the browsers of any users who subsequently view the compromised pages, meaning that both privileged and non‑privileged users could be. The overall risk is therefore moderate, with the primary threat domain being information disclosure and potential user session compromise rather than complete system takeover.