CVE-2025-0981: Session Hijacking via Stored Cross-Site Scripting (XSS) in ChurchCRM Group Editor
Description
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript, which captures the session cookie of authenticated users. The cookie can then be sent to an external server, enabling session hijacking. It can also lead to information disclosure, as exposed session cookies can be used to impersonate users and gain unauthorised access to sensitive information.
Classification
CVE ID: CVE-2025-0981
CVSS Base Severity: HIGH
CVSS Base Score: 8.4
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H/AU:Y/R:U/V:C/RE:L/U:Amber
Affected Products
Vendor: ChurchCRM
Product: ChurchCRM
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.03% (probability of being exploited)
EPSS Percentile: 4.29% (scored less or equal to compared to others)
EPSS Date: 2025-03-19 (when was this score calculated)