14 matches found
CVE-2026-26059 ChurchCRM has Stored Cross-Site Scripting (XSS) in GroupEditor.php
ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View. Version 6.8.2 fixes this issue...
CVE-2026-26059
CVE-2026-26059 affects ChurchCRM prior to 6.8.2 and is a stored XSS in GroupEditor.php: an authenticated user with group-edit permissions could store a JavaScript payload that executes when the group is viewed. The issue is fixed in version 6.8.2. If upgrading is possible, apply 6.8.2 or newer to...
CVE-2026-26059 ChurchCRM has Stored Cross-Site Scripting (XSS) in GroupEditor.php
ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View. Version 6.8.2 fixes this issue...
CVE-2026-26059 ChurchCRM has Stored Cross-Site Scripting (XSS) in GroupEditor.php
ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View. Version 6.8.2 fixes this issue...
ChurchCRM GroupEditor.php Page Cross-Site Scripting Vulnerability
ChurchCRM is an open source church management system. ChurchCRM has a cross-site scripting vulnerability that stems from the lack of effective filtering and escaping of user-supplied data on the GroupEditor.php page, which can be exploited by an attacker to execute arbitrary Web script or HTML by...
CVE-2025-68399
ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting XSS vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript. However, for this to...
CVE-2025-68399 ChurchCRM has Stored Cross-Site Scripting (XSS) In GroupEditor.php
ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting XSS vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript. However, for this to...
CVE-2025-68399 ChurchCRM has Stored Cross-Site Scripting (XSS) In GroupEditor.php
ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting XSS vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript. However, for this to...
CVE-2025-0981
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting XSS vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript in the description field, which captures the sessi...
CVE-2025-0981
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting XSS vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript in the description field, which captures the sessi...
CVE-2025-0981 Session Hijacking via Stored Cross-Site Scripting (XSS) in ChurchCRM GroupEditor.php Description Field
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting XSS vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript in the description field, which captures the sessi...
CVE-2025-0981 Session Hijacking via Stored Cross-Site Scripting (XSS) in ChurchCRM GroupEditor.php Description Field
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting XSS vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript in the description field, which captures the sessi...
CVE-2024-49593
CVE-2024-49593 affects the WordPress ecosystem via two plugins: Advanced Custom Fields (ACF) and Secure Custom Fields. The vulnerability is a stored XSS that can be triggered when editing a Field Group with the plugin editors, enabling execution of malicious payloads. Affected versions are ACF pr...
PT-2024-33558 · WordPress · Advanced Custom Fields Pro +1
Name of the Vulnerable Software and Affected Versions: Advanced Custom Fields ACF versions prior to 6.3.9 Secure Custom Fields versions prior to 6.3.6.3 Description: The issue allows for the execution of a stored XSS payload when using the Field Group editor to edit one of the plugin's fields in...