CVE-2025-68275 CRITICAL

CVE-2025-68275: ChurchCRM vulnerable to Stored XSS - Group name > Person Listing

Vendor Churchcrm

Product CRM

Weakness CWE-79 · XSS

Published December 17, 2025

Last update December 18, 2025

View on NVD All CVEs

CVSS base score

9.2/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

What the vulnerability does

01Description

ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a stored cross-site scripting vulnerability on the pages `View Active People`, `View Inactive people`, and `View All People`. Version 6.5.3 fixes the issue.

Key dates

02Disclosure timeline

December 17, 2025 CVE published

December 18, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-68275

Related vulnerabilities

04Related CVE

CVE-2023-3755 Creativeitem Atlas Business Directory Listing filter_listings cross site scripting CVE-2025-54724 WordPress Golo Theme <= 1.7.1 - Cross Site Scripting (XSS) Vulnerability CVE-2020-36931 Click2Magic 1.1.5 - Stored Cross-Site Scripting CVE-2022-42364 AEM Reflected XSS Arbitrary code execution CVE-2025-3106 LA-Studio Element Kit for Elementor <= 1.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Table of Contents Widget