ChurchCRM Stored Cross-Site Scripting Vulnerability in Pledge Editor

A stored cross-site scripting vulnerability has been identified in ChurchCRM versions prior to 7.2.0. The issue arises in the Pledge Editor, where donation comments are rendered into HTML input value attributes without proper escaping. This flaw allows an authenticated user with Finance permissions to inject HTML attribute-breaking characters and event handlers into the comment field. The injected scripts are executed in the browser of any user who later opens the pledge record for editing. The vulnerability has been patched in version 7.2.0.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user editing the pledge.

Reproduction

To reproduce this vulnerability, log in with Finance permissions and navigate to the Pledge Editor. In the comment field for any fund, enter a payload that breaks out of the attribute context, such as a script injection using event handlers. After saving the comment, return to the pledge record. The injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to ChurchCRM version 7.2.0 or later, where this vulnerability has been fixed.