CVE-2025-67874 is a vulnerability identified in ChurchCRM, an open-source church management system, affecting all versions prior to 6.5.0. The core issue is an observable response discrepancy where the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This behavior constitutes a CWE-204 vulnerability, leading to significant information disclosure. Because passwords are exposed in responses, attackers can harvest credentials without needing authentication or user interaction, increasing the risk of account compromise. The vulnerability also exacerbates the impact of other security flaws such as Cross-Site Scripting (XSS), Insecure Direct Object References (IDOR), and session fixation attacks by providing attackers with sensitive data that can be leveraged for further exploitation. The CVSS 4.0 score of 6.9 reflects a medium severity, considering the vulnerability is remotely exploitable without authentication but requires high privileges to trigger (PR:H). The vulnerability does not affect confidentiality, integrity, or availability directly but compromises user credentials, which can lead to broader security breaches. The issue was publicly disclosed on December 16, 2025, and fixed in version 6.5.0 of ChurchCRM. No known exploits have been reported in the wild to date.

For European organizations using ChurchCRM versions prior to 6.5.0, this vulnerability poses a significant risk of credential compromise. Since ChurchCRM is used primarily by religious institutions and associated organizations, the impact includes potential unauthorized access to sensitive member data, financial information, and internal communications. Credential leakage can facilitate lateral movement within networks, enabling attackers to escalate privileges or conduct further attacks such as data exfiltration or ransomware deployment. The amplification of other vulnerabilities like XSS or IDOR increases the attack surface and potential damage. Given the nature of the data managed by ChurchCRM, including personal and possibly financial information of congregants, breaches could lead to reputational damage, legal liabilities under GDPR, and loss of trust. The vulnerability's remote exploitability without user interaction increases the urgency for affected organizations to remediate promptly.

1. Upgrade ChurchCRM installations to version 6.5.0 or later immediately to apply the official fix. 2. Conduct a thorough audit of logs and user activity to detect any suspicious access or credential harvesting attempts prior to patching. 3. Implement strict network segmentation and access controls to limit exposure of ChurchCRM instances to trusted users and networks only. 4. Enforce strong password policies and consider multi-factor authentication (MFA) for user accounts to reduce the risk of compromised credentials being abused. 5. Monitor for anomalous login patterns or repeated failed login attempts that may indicate exploitation attempts. 6. Educate users about phishing and credential security, as attackers may leverage leaked passwords in social engineering attacks. 7. If upgrading is not immediately possible, deploy web application firewalls (WAFs) with custom rules to detect and block suspicious requests that might exploit this vulnerability. 8. Regularly review and update all dependencies and third-party components integrated with ChurchCRM to minimize additional risks.