This vulnerability in Church Admin arises from improper neutralization of input during web page generation, leading to reflected cross-site scripting (XSS). An attacker could craft a malicious URL or input that, when processed by the affected versions of Church Admin (before 5.0.0), results in script execution in the victim's browser. The CVSS 3.1 vector indicates the attack can be performed remotely over the network with low attack complexity, requires no privileges but does require user interaction, and can impact confidentiality, integrity, and availability to a limited extent.

Successful exploitation of this vulnerability can lead to execution of arbitrary scripts in the context of the victim's browser, potentially allowing theft of session tokens, defacement, or other malicious actions affecting confidentiality, integrity, and availability of the affected system or user data. The reflected nature means the attack requires user interaction, such as clicking a crafted link.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should exercise caution with untrusted input and consider implementing web application firewall (WAF) rules to detect and block reflected XSS attempts. Monitor vendor channels for updates and apply patches promptly once available.