An authenticated user with Finance permissions can inject arbitrary HTML attribute delimiters and JavaScript event handlers into the donation comment field of the Pledge Editor. Because ChurchCRM writes the comment value directly into an HTML input attribute without escaping, the stored payload is rendered as part of the page text and executed in any user’s browser that later opens the pledge record for editing. This flaw is a classic stored XSS and involves input validation and output encoding weaknesses (CWE‑79) and a failure to use proper character escaping for HTML attributes (CWE‑116). The resulting impact is the execution of attacker‑supplied scripts in the victim’s browser session, which could include session hijacking, defacement, or credential theft. The vulnerability is limited to users who have the ability to view pledge records for editing and does not provide direct remote code execution on the server.

ChurchCRM’s open‑source church management system, versions prior to 7.2.0, is affected. The issue is resolved in version 7.2.0 and later.

The CVSS score of 5.4 indicates moderate severity. No EPSS score is publicly available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires authenticated access with Finance role privileges; an attacker must first account for the target church’s user base to identify a privileged user, after which the XSS payload is automatically delivered to any user who later edits a pledge. Because only users with view/edit access are affected and no direct exploit beyond script execution in the client is possible, the overall risk is moderate but could be elevated in environments with many Finance users and sensitive data exposure.