CVE-2025-0981

MEDIUM

ChurchCRM < 5.13.0 - Stored Cross-Site Scripting in Group Editor Description Field

Title source: llm
STIX 2.1

Description

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript in the description field, which captures the session cookie of authenticated users. The cookie can then be sent to an external server, enabling session hijacking. It can also lead to information disclosure, as exposed session cookies can be used to impersonate users and gain unauthorised access to sensitive information.

References (1)

Core 1
Core References
Exploit, Issue Tracking, Third Party Advisory
https://github.com/ChurchCRM/CRM/issues/7245

Scores

CVSS v3 6.1
EPSS 0.0020
EPSS Percentile 10.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-287 CWE-79
Status published
Products (1)
churchcrm/churchcrm < 5.13.0
Published Feb 18, 2025
Tracked Since Feb 18, 2026