The vulnerability is a stored cross‑site scripting flaw in ChurchCRM. Configuration values that are rendered into HTML attributes are not escaped, allowing an attacker to inject arbitrary JavaScript. The injection occurs in Directory Reports form fields set from config, person editor defaults in address fields, and external self‑registration form defaults. Because the affected data is stored and subsequently displayed to administrative users, the impact is that an attacker who can modify writable configuration sections could persist malicious script that runs in the browser context of any admin who views these pages, potentially compromising session data or executing further attacks.

The flaw affects ChurchCRM’s open‑source church management system before version 7.1.0. Administrators who can alter configuration values are able to exploit the stored XSS. All installations using an earlier release and relying on the Directory Reports, Person editor, or self‑registration default fields are at risk.

The CVSS score of 6.1 reflects moderate severity. The low EPSS score indicates that exploitation is currently unlikely but possible. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to achieve write access to the configuration area and then load an affected page as an administrative user. The exposed attack vector is primarily insider or privileged compromise leading to script execution in privileged browsers.