Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ChurchCRM - CVE-2025-67875
Published: April 9, 2026
Vulnerability identifier: #VU125677
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-67875
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: ChurchCRM
Affected software:
ChurchCRM
ChurchCRM
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in an administrator's browser and hijack the administrator's session.
The vulnerability exists due to cross-site scripting in the property assignment and profile rendering functionality when storing and displaying user-controlled property values on a user's profile page. A remote user can assign a specially crafted property value to another user's record to execute arbitrary script in an administrator's browser and hijack the administrator's session.
User interaction is required because the administrator must view the affected profile page, and exploitation requires permissions to edit records and manage properties and classifications.
How to mitigate CVE-2025-67875
Install security update from vendor's website.