CVE-2025-67876 is a critical stored cross-site scripting (XSS) vulnerability affecting ChurchCRM, an open-source church management system widely used for managing congregational data and activities. The vulnerability exists in versions 6.4.0 and prior, where a low-privilege user granted the 'Manage Groups' permission can inject malicious JavaScript code into group role names. These role names are stored persistently in the database and rendered on pages such as GroupView.php and PersonView.php. When any user, including administrators, accesses these pages, the injected script executes in their browser context. This allows attackers to hijack user sessions, steal authentication tokens, and potentially take over accounts. The vulnerability does not require prior authentication beyond the 'Manage Groups' permission, nor does it require user interaction beyond viewing the affected pages. The CVSS 4.0 score of 9.3 reflects the high impact on confidentiality, integrity, and availability, combined with ease of exploitation and broad scope. No patches or fixes are currently available, increasing the urgency for defensive measures. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. Although no known exploits are reported in the wild yet, the critical nature and ease of exploitation make it a significant threat to organizations relying on ChurchCRM.

For European organizations using ChurchCRM, this vulnerability poses a severe risk of unauthorized access and data compromise. Attackers exploiting this flaw can hijack sessions of administrators and other users, leading to full account takeover. This can result in unauthorized data access, manipulation of sensitive congregational information, disruption of church operations, and potential reputational damage. Since the vulnerability allows persistent script injection, it can be used to establish long-term footholds or pivot to other internal systems if integrated with broader IT infrastructure. The impact is particularly critical for organizations with many users and complex role-based permissions, as the attack surface increases. Additionally, compromised accounts could be leveraged to distribute malware or phishing campaigns within the community. The lack of a patch means organizations must rely on mitigations and monitoring, increasing operational overhead and risk exposure.

Until an official patch is released, European organizations should implement several targeted mitigations: 1) Restrict the 'Manage Groups' permission strictly to trusted users only, minimizing the number of accounts that can inject malicious input. 2) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious JavaScript payloads in HTTP requests related to group role management. 3) Implement server-side input validation and sanitization for group role names, ideally using a whitelist approach to allow only safe characters. 4) Monitor logs and user activity for unusual behavior, such as unexpected changes to group roles or repeated access to affected pages. 5) Educate users, especially administrators, to recognize signs of session hijacking or unusual account activity. 6) Consider isolating ChurchCRM instances from critical networks to limit lateral movement if compromised. 7) Regularly back up data to enable recovery from potential data integrity attacks. 8) Engage with the ChurchCRM community or maintainers to track patch releases and apply updates promptly once available.