CVE-2026-39344: Reflected XSS Vulnerability in ChurchCRM Impacts User Security

What Happened

On October 2023, a significant security vulnerability was identified in ChurchCRM, an open-source church management system widely used by religious organizations for managing their activities and member information. The issue, tracked as CVE-2026-39344, is a Reflected Cross-Site Scripting (XSS) vulnerability found on the login page of the application. This flaw was discovered in versions prior to 7.1.0 and has been addressed in the latest release.

ChurchCRM is employed by numerous churches for the efficient handling of church operations, such as tracking member details, donations, and events. The vulnerability was located in the login mechanism, a critical gateway for accessing church-related data, thereby posing a significant risk to data integrity and confidentiality.

Technical Details

The vulnerability originates from improper input sanitization of the username parameter in the login page of ChurchCRM prior to version 7.1.0. Specifically, the flaw is a Reflected XSS, which occurs because the input received from the username parameter is directly reflected in the output page without sufficient filtering or encoding. This allows an attacker to inject malicious JavaScript code via a crafted URL containing a manipulated username parameter.

When a victim accesses the crafted URL, the embedded malicious script executes in the context of the victim's browser session. The vulnerability has been assigned a CVSS score of 8.1, indicating a high severity level due to the potential for unauthorized script execution in the user's browser, which attackers can leverage to steal session cookies or other sensitive information.

Impact

The impact of CVE-2026-39344 is substantial, affecting all ChurchCRM installations with versions earlier than 7.1.0. This includes a wide spectrum of church organizations relying on ChurchCRM for secure management of their member data. Successful exploitation of this vulnerability can lead to data breaches where personal information, session cookies, and other sensitive data are compromised.

The consequences of such breaches can be significant, leading to unauthorized access to member information, identity theft, and a loss of trust among church communities. Since ChurchCRM serves numerous organizations worldwide, the cumulative risk and scale of potential data exposure are considerable.

What To Do

• Upgrade Immediately: Update ChurchCRM to version 7.1.0 or later to address this vulnerability.
• Assess Vulnerability: Review access logs for any indications of exploitation attempts, focusing on unusual login page requests with malformed URL parameters.
• Implement Web Application Firewall (WAF): Deploy a WAF to help filter and monitor HTTP requests for malicious payloads.
• Educate Users: Inform users about the risks of clicking on suspicious links in emails or messages that might lead to exploit attempts.
• Regular Security Audits: Perform regular security assessments and updates to ensure additional vulnerabilities do not go unnoticed.

In light of this vulnerability, it is crucial for ChurchCRM users to promptly apply the updates provided by the developers. Those responsible for managing and maintaining the integrity of church data should be vigilant in applying these remediation steps, ensuring systems are resilient against such XSS exploits. By taking these proactive measures, organizations can safeguard their users and maintain trust in their technological infrastructures.