Volerion logoVolerion
Volerion logoVolerion

ChurchCRM Stored Cross-Site Scripting Vulnerability in User Editor

Vulnerability

A stored cross-site scripting vulnerability has been identified in ChurchCRM versions prior to 7.2.0. The issue arises in the User Editor (UserEditor.php), where saved usernames are rendered directly into an HTML input value attribute without proper HTML encoding. This allows an administrator to inject HTML attribute-breaking characters and event handlers, which are executed in the browser of any administrator who later views that user's editor page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the User Editor. Inject a username with HTML attribute-breaking characters, such as an autofocus attribute, and save the changes. Then, return to the User Editor for that user to trigger the execution of the injected script.

Remediation

This vulnerability has been patched in ChurchCRM version 7.2.0.

Added: Apr 18, 2026, 12:18 AM
Updated: Apr 18, 2026, 12:18 AM

Vulnerability Rating

Custom Algorithm
spread
1.9
impact
5.4
exploitability
5.9
remediation
7.7
relevance
6.3
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.