CVE-2025-68401 is a stored cross-site scripting (XSS) vulnerability identified in ChurchCRM, an open-source church management system. The vulnerability exists in versions prior to 6.0.0 due to improper neutralization of user-supplied input during web page generation. Specifically, the application fails to sufficiently sanitize or encode HTML and JavaScript content submitted by users before storing it. When other users view this stored content, the embedded malicious JavaScript executes in their browsers within the context of the ChurchCRM web application. This execution allows the attacker to access sensitive web origin data, manipulate the DOM, and perform privileged actions on behalf of the victim user. If the application’s session cookies are not marked with the HttpOnly attribute, the malicious script can read document.cookie, enabling session hijacking and account takeover. The vulnerability does not require authentication to exploit but does require user interaction (viewing the malicious content). The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H but this seems contradictory, likely a typo or indicating high privileges needed), user interaction required (UI:P), and high scope impact (SI:H). The vulnerability was published on December 17, 2025, and no known exploits are currently reported in the wild. The issue is addressed in ChurchCRM version 6.0.0, which implements proper input sanitization and encoding to prevent script injection.

For European organizations using ChurchCRM versions prior to 6.0.0, this vulnerability poses a significant risk to confidentiality and integrity of user accounts and data. Successful exploitation can lead to session hijacking, allowing attackers to impersonate legitimate users and perform unauthorized actions within the CRM system. This can result in unauthorized access to sensitive church member information, manipulation of records, and potential disruption of church operations. Given that ChurchCRM is used by religious organizations which may hold personal data of congregants, the breach could also have privacy and compliance implications under GDPR. The stored nature of the XSS means that once malicious content is injected, it can affect multiple users without repeated attacker interaction, increasing the attack surface. Although no known exploits are reported yet, the medium CVSS score and ease of exploitation via user interaction warrant proactive mitigation. The impact on availability is minimal, but the risk to confidentiality and integrity is moderate to high depending on cookie security settings and user privileges.

European organizations should immediately upgrade ChurchCRM installations to version 6.0.0 or later to apply the official patch. Until upgrade is possible, implement strict input validation and output encoding on all user-supplied content fields to prevent injection of executable scripts. Configure web application security headers such as Content Security Policy (CSP) to restrict script execution sources and reduce XSS impact. Ensure all session cookies are marked HttpOnly and Secure to prevent client-side script access and cookie theft. Conduct regular security audits and penetration testing focused on input handling and stored content rendering. Educate users to be cautious when interacting with content from untrusted sources within the CRM. Monitor logs for suspicious activity indicative of XSS exploitation attempts. Consider deploying web application firewalls (WAFs) with rules targeting XSS payloads as an additional protective layer.