#VU125677 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ChurchCRM - CVE-2025-67875
Published: April 9, 2026
Vulnerability identifier: #VU125677
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-67875
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
ChurchCRM
ChurchCRM
Software vendor:
ChurchCRM
ChurchCRM
Description
The vulnerability allows a remote user to execute arbitrary script in an administrator's browser and hijack the administrator's session.
The vulnerability exists due to cross-site scripting in the property assignment and profile rendering functionality when storing and displaying user-controlled property values on a user's profile page. A remote user can assign a specially crafted property value to another user's record to execute arbitrary script in an administrator's browser and hijack the administrator's session.
User interaction is required because the administrator must view the affected profile page, and exploitation requires permissions to edit records and manage properties and classifications.
Remediation
Install security update from vendor's website.