CVE-2025-67874 is a vulnerability classified under CWE-204 (Observable Response Discrepancy) affecting ChurchCRM, an open-source church management system. In versions prior to 6.5.0, the application improperly echoes plaintext passwords submitted by users back in subsequent HTTP responses. This behavior constitutes a significant information disclosure flaw because it exposes sensitive credentials to anyone able to observe the HTTP traffic or access the responses. The vulnerability does not require user interaction or authentication but does require the attacker to have high privileges within the system, which limits the ease of exploitation. However, once exploited, it can facilitate credential harvesting, enabling attackers to compromise user accounts. Furthermore, this vulnerability can exacerbate the impact of other security issues such as Cross-Site Scripting (XSS), Insecure Direct Object References (IDOR), and session fixation attacks by providing attackers with plaintext passwords, thus increasing the attack surface and potential damage. The vulnerability was publicly disclosed on December 16, 2025, with a CVSS 4.0 base score of 6.9 (medium severity). The fix was implemented in ChurchCRM version 6.5.0, which removes the echoing of plaintext passwords in HTTP responses, thereby eliminating the information leakage.

For European organizations using ChurchCRM versions prior to 6.5.0, this vulnerability poses a significant risk to the confidentiality of user credentials. Credential compromise can lead to unauthorized access to sensitive church management data, including personal information of congregation members, financial records, and internal communications. The exposure of plaintext passwords can also facilitate lateral movement within the network if reused credentials are present, increasing the risk of broader organizational compromise. Additionally, the vulnerability can amplify the impact of other existing vulnerabilities, potentially leading to full account takeover or data breaches. Given that ChurchCRM is used by religious organizations, the impact extends to privacy concerns and reputational damage. The risk is heightened in environments where network traffic is not encrypted or where internal access controls are weak. Although exploitation requires high privileges, insider threats or attackers who have already gained elevated access could leverage this vulnerability to escalate their control and harvest credentials at scale.

European organizations should immediately upgrade ChurchCRM installations to version 6.5.0 or later to remediate this vulnerability. Until the upgrade is applied, organizations should implement strict network segmentation and limit access to the ChurchCRM application to trusted users only, reducing the risk of privilege escalation. Employing strong authentication mechanisms, such as multi-factor authentication (MFA), can mitigate the impact of credential compromise. Monitoring HTTP traffic for anomalous responses that include sensitive data can help detect exploitation attempts. Additionally, organizations should conduct regular audits of user privileges to ensure that high-level access is granted only when necessary. Encrypting all internal and external communications with TLS will prevent attackers from intercepting plaintext passwords in transit. Finally, educating users about the risks of password reuse and encouraging strong, unique passwords will reduce the potential damage from credential harvesting.