CVE-2025-67874

MEDIUM

Churchcrm < 6.5.0 - XSS

Title source: rule

Description

ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify the impact of other vulnerabilities (e.g., XSS, IDOR, session fixation), enabling attackers to harvest other users’ passwords. Version 6.5.0 fixes the issue.

References (2)

[Exploit, Vendor Advisory] https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p98h-5xcj-5c6x

[Patch] https://github.com/ChurchCRM/CRM/commit/2d6cf7aed9af1b9b47e125d1a2266f8e2a88f3fd

View Patch ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.0005

EPSS Percentile 16.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-204

Status published

Products (1)

churchcrm/churchcrm < 6.5.0

Published Dec 16, 2025

Tracked Since Feb 18, 2026