CVE-2025-67875 is a critical security vulnerability identified in ChurchCRM, an open-source church management system, affecting versions prior to 6.5.3. The vulnerability is a persistent Cross-Site Scripting (XSS) flaw categorized under CWE-79, which allows an attacker with authenticated mid-level permissions—specifically 'Edit Records' and 'Manage Properties and Classifications'—to inject malicious JavaScript payloads into administrator profile pages. This injection is possible due to a combination of two underlying security weaknesses: an Insecure Direct Object Reference (IDOR) that permits any user to view any other user's profile, and broken access control that allows users with general edit permissions to modify any other user's record properties. When an administrator views their own profile page, the injected script executes in their browser context, enabling session hijacking and unauthorized administrative actions, ultimately leading to full account takeover. The vulnerability does not require the attacker to have administrative privileges initially but leverages mid-level permissions to escalate privileges. The CVSS 4.0 base score is 8.5, reflecting high severity due to network attack vector, low attack complexity, no required privileges beyond mid-level, and high impacts on confidentiality, integrity, and availability. No known public exploits have been reported yet. The vulnerability is addressed in ChurchCRM version 6.5.3, which corrects the access control and input validation issues. Organizations running affected versions should upgrade promptly to mitigate the risk of administrative compromise and potential further exploitation within their environment.

For European organizations using ChurchCRM, this vulnerability poses a significant risk of administrative account compromise, which can lead to unauthorized access to sensitive data, manipulation of church member records, and disruption of organizational operations. The ability to hijack administrator sessions and perform administrative actions can facilitate further lateral movement within the system or network, potentially exposing personal data protected under GDPR and other privacy regulations. The persistent nature of the XSS payload means that the attack can maintain a foothold and repeatedly execute malicious scripts without further interaction from the attacker. This could also lead to reputational damage if member data is leaked or manipulated. Given that ChurchCRM is used by various religious and community organizations across Europe, the impact extends beyond IT systems to the trust and safety of community members. The vulnerability's exploitation could also be leveraged for phishing or social engineering attacks targeting administrators. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often target unpatched systems. Therefore, the impact is high particularly for organizations that have not yet updated to version 6.5.3.

1. Immediate upgrade of ChurchCRM installations to version 6.5.3 or later, which contains the fix for this vulnerability. 2. Review and restrict user permissions to ensure that only trusted users have 'Edit Records' and 'Manage Properties and Classifications' privileges, minimizing the attack surface. 3. Implement strict input validation and output encoding on all user-supplied data fields, especially those displayed in administrator profiles, to prevent injection of malicious scripts. 4. Conduct regular audits of user roles and access controls to detect and remediate any unauthorized privilege escalations or misconfigurations. 5. Monitor logs for unusual profile access or modification activities that could indicate exploitation attempts. 6. Educate administrators to be cautious when viewing profile pages and to report any suspicious behavior. 7. Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS payloads by restricting the execution of unauthorized scripts. 8. Consider implementing multi-factor authentication (MFA) for administrator accounts to mitigate session hijacking risks. 9. Regularly back up ChurchCRM data and configurations to enable recovery in case of compromise. 10. Stay informed about updates from ChurchCRM and security advisories to promptly address new vulnerabilities.