CVE-2025-67874
MEDIUMChurchCRM < 6.5.0 - Plaintext Password Exposure in HTTP Responses
Title source: llmDescription
ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify the impact of other vulnerabilities (e.g., XSS, IDOR, session fixation), enabling attackers to harvest other users’ passwords. Version 6.5.0 fixes the issue.
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p98h-5xcj-5c6x
Patch x_refsource_misc
https://github.com/ChurchCRM/CRM/commit/2d6cf7aed9af1b9b47e125d1a2266f8e2a88f3fd
Scores
CVSS v3
6.5
EPSS
0.0031
EPSS Percentile
21.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-204
Status
published
Products (1)
churchcrm/churchcrm
< 6.5.0
Published
Dec 16, 2025
Tracked Since
Feb 18, 2026