CVE-2025-67876 is a stored cross-site scripting (XSS) vulnerability identified in ChurchCRM, an open-source church management system widely used for managing congregational data and activities. The vulnerability affects versions 6.4.0 and earlier. It arises from improper neutralization of input during web page generation (CWE-79), specifically in the handling of group role names. A user with the 'Manage Groups' permission, which is a low-privilege role, can inject malicious JavaScript code into the role name fields. This malicious payload is stored persistently in the ChurchCRM database. Whenever any user, including administrators, accesses pages such as GroupView.php or PersonView.php that display these group roles, the injected script executes in their browser context. This execution enables attackers to hijack user sessions, steal authentication tokens, and potentially take over accounts, including those with administrative privileges. The vulnerability does not require the attacker to have high privileges or prior authentication but does require the ability to manage groups and for victims to view the affected pages. No patches or updates addressing this vulnerability are currently available, increasing the risk of exploitation once the vulnerability becomes widely known. The CVSS 4.0 score of 9.3 reflects the vulnerability's critical nature, with network attack vector, low attack complexity, no required authentication, and high impacts on confidentiality, integrity, and availability. Although no known exploits are currently in the wild, the potential for damage is significant given the persistent nature of the XSS and the ability to compromise administrative accounts.

For European organizations using ChurchCRM, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive organizational and personal data managed within the CRM. Exploitation could lead to unauthorized access to user accounts, including administrators, enabling attackers to manipulate data, disrupt operations, or exfiltrate confidential information. Given that church management systems often contain personal data of congregants, including contact details and possibly financial information, a breach could also have privacy and regulatory compliance implications under GDPR. The persistent nature of the XSS means that multiple users can be affected over time, increasing the scope of impact. Additionally, session hijacking can facilitate lateral movement within the system, potentially compromising other integrated services or data. The lack of a patch increases the window of exposure, making timely mitigation critical. The impact extends beyond technical damage to reputational harm and potential legal consequences for failing to protect personal data adequately.

Until an official patch is released, European organizations should implement several targeted mitigation strategies. First, restrict the 'Manage Groups' permission strictly to trusted users and review current role assignments to minimize the number of users who can inject malicious input. Implement input validation and sanitization at the application or web server level, if possible, to detect and block suspicious scripts in group role names. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing ChurchCRM. Monitor logs and user activity for unusual behavior, particularly changes to group roles and unexpected script execution. Consider isolating ChurchCRM instances from critical networks and sensitive data environments to limit potential damage. Educate users, especially administrators, to be cautious when viewing group-related pages and to report anomalies. Finally, maintain regular backups of the CRM database to enable recovery if an attack occurs. Organizations should also stay alert for updates from ChurchCRM developers and apply patches promptly once available.