CVE-2025-1024 describes a Reflected Cross-Site Scripting (XSS) vulnerability affecting ChurchCRM versions up to 5.13.0. This flaw allows attackers to inject malicious JavaScript code into a victim's browser, potentially leading to session hijacking and unauthorized actions. The vulnerability resides within the EditEventAttendees.php page and requires administrative privileges to exploit. A patch is available in version 5.13.1.
Successful exploitation of CVE-2025-1024 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session on the ChurchCRM application. This can lead to several severe consequences, including the theft of session cookies, enabling the attacker to impersonate the victim and perform actions on their behalf. An attacker could potentially access sensitive data, modify records, or even compromise the entire ChurchCRM installation. The EID parameter is the attack vector, making it crucial to sanitize user input related to event attendees. This vulnerability highlights the importance of proper input validation and output encoding to prevent XSS attacks.
CVE-2025-1024 was publicly disclosed on 2025-02-19. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that PoCs will emerge. The vulnerability requires administrative privileges, which may limit the scope of exploitation. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.16% (37% percentile)
CISA SSVC
The primary mitigation for CVE-2025-1024 is to upgrade ChurchCRM to version 5.13.1 or later, which contains the fix. If immediate upgrading is not possible, consider implementing temporary workarounds. Input validation on the EID parameter within the EditEventAttendees.php page is critical. Implement strict filtering to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) can be configured to detect and block XSS attempts targeting this specific endpoint. Regularly review and update ChurchCRM's security configuration to ensure best practices are followed. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload through the EID parameter and verifying that it is properly sanitized.
Update ChurchCRM to a version later than 5.13.0 to fix the XSS vulnerability. This will prevent attackers from executing malicious scripts in users' browsers and stealing their sessions. Refer to the ChurchCRM changelog for details on the patched version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-1024 is a Reflected Cross-Site Scripting (XSS) vulnerability in ChurchCRM versions 5.13.0 and earlier, allowing attackers to inject JavaScript code.
You are affected if you are running ChurchCRM version 5.13.0 or an earlier version. Upgrade to 5.13.1 or later to mitigate the risk.
Upgrade ChurchCRM to version 5.13.1 or later. As a temporary workaround, implement strict input validation on the EID parameter.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely that exploitation attempts may occur.
Refer to the ChurchCRM security advisories page for the latest information and updates regarding CVE-2025-1024.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.