Exploit for Cross-site Scripting in Churchcrm CVE-2025-67875

## https://sploitus.com/exploit?id=21195C09-272C-5E90-9187-70E55BD79A90
# CVE-2025-67875: ChurchCRM has stored XSS via Person Property Assignment Leading to Admin Session Hijacking

## Overview

| Field | Details |
|---|---|
| **CVE ID** | CVE-2025-67875 |
| **Vulnerability Type** | Cross-Site Scripting (XSS) |
| **Severity** | HIGH |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |

## Description

ChurchCRM is an open-source church management system. A privilege escalation vulnerability exists in ChurchCRM prior to version 6.5.3. An authenticated user with specific mid-level permissions ("Edit Records" and "Manage Properties and Classifications") can inject a persistent Cross-Site Scripting (

## Affected Products

- **ChurchCRM/CRM**




## References

- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-fcw7-mmfh-7vjm


## Disclaimer

This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.