ChurchCRM, an open-source church management system, suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-68399 and classified under CWE-79. This vulnerability exists in versions prior to 6.5.4 within the GroupEditor.php page, where input sanitization is insufficient during web page generation. Specifically, when a user with permissions to view and modify groups creates a group role, they can inject malicious JavaScript code that is stored and later executed in the context of other users viewing the affected page. The vulnerability requires the attacker to have authenticated access with group modification privileges, and some user interaction is necessary to trigger the malicious script. The CVSS 4.0 base score is 2.0, reflecting low severity due to the limited scope and required privileges. No known exploits have been reported in the wild. The vulnerability is resolved in ChurchCRM version 6.5.4 by properly neutralizing input to prevent script injection.

For European organizations using ChurchCRM, this vulnerability could lead to unauthorized script execution within the application context, potentially allowing attackers to steal session tokens, perform actions on behalf of legitimate users, or conduct phishing attacks targeting users with group modification privileges. Although the impact is limited by the need for authenticated access and specific permissions, exploitation could compromise the integrity and confidentiality of user data and organizational workflows. Given that ChurchCRM is used primarily by churches and religious organizations, the impact may be more pronounced in communities relying heavily on this software for member management and communication. The low CVSS score and absence of known exploits suggest limited immediate risk, but unpatched instances remain vulnerable to insider threats or targeted attacks.

European organizations should immediately upgrade ChurchCRM installations to version 6.5.4 or later to remediate the vulnerability. Until the upgrade is applied, restrict group modification permissions strictly to trusted users and monitor for unusual activity involving group role creation. Implement web application firewalls (WAFs) with rules to detect and block common XSS payloads targeting the GroupEditor.php endpoint. Conduct regular security audits and user permission reviews to minimize the attack surface. Educate users with elevated privileges about the risks of XSS and the importance of cautious input handling. Additionally, consider implementing Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks by restricting script execution sources.