ChurchCRM, an open-source church management system, suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2026-32880. This vulnerability exists in versions prior to 7.0.2 due to improper neutralization of input during web page generation (CWE-79). Specifically, an admin user can edit JSON-type system settings to include a malicious JavaScript payload. The system fails to properly escape or sanitize this JSON input within the SystemSettings.php file, causing the payload to execute when any administrator views the system settings page. This stored XSS allows execution of arbitrary scripts in the context of an admin user’s browser session, potentially leading to theft of sensitive information, session hijacking, or unauthorized actions. Exploitation requires authenticated admin privileges and user interaction (viewing the settings page). The vulnerability was publicly disclosed on March 20, 2026, with a CVSS v3.1 base score of 6.4, reflecting medium severity. No known exploits have been reported in the wild. The issue has been resolved in ChurchCRM version 7.0.2 by properly sanitizing JSON input before rendering it in the admin interface.

The vulnerability primarily impacts the confidentiality and integrity of administrative sessions within ChurchCRM deployments. An attacker with admin privileges can inject malicious JavaScript that executes in other admins’ browsers, potentially stealing session tokens, modifying settings, or performing unauthorized actions under the guise of legitimate administrators. This can lead to unauthorized data access or manipulation of church management data, which may include sensitive personal information of congregants. While availability impact is low, the breach of trust and data integrity can have significant reputational and operational consequences for organizations relying on ChurchCRM. Since exploitation requires admin access, the threat is limited to environments where admin credentials are compromised or malicious insiders exist. However, the ease of injecting persistent scripts once admin access is obtained increases the risk of lateral compromise within the administrative user base.

1. Upgrade ChurchCRM installations to version 7.0.2 or later, where the vulnerability is patched. 2. Restrict administrative access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 3. Implement strict input validation and output encoding for JSON and other user-controllable inputs in custom deployments or forks of ChurchCRM. 4. Regularly audit system settings and JSON configuration entries for suspicious or unexpected script content. 5. Monitor administrative user activity and logs for unusual behavior that could indicate exploitation attempts. 6. Educate administrators about the risks of XSS and the importance of cautious interaction with system settings. 7. If upgrading immediately is not feasible, consider temporarily limiting admin access or isolating the admin interface to trusted networks to reduce exposure.