CVE-2026-32880 Overview
CVE-2026-32880 is a stored Cross-Site Scripting (XSS) vulnerability affecting ChurchCRM, an open-source church management system. The vulnerability exists in versions prior to 7.0.2, where an admin user can edit JSON type system settings to store a JavaScript payload that executes when any admin views the system settings. The JSON input is left unescaped and unsanitized in SystemSettings.php, leading to the XSS condition.
Critical Impact
Admin users can inject malicious JavaScript payloads through system settings that execute in the browser context of other administrators, potentially leading to session hijacking, privilege abuse, or further compromise of the church management system.
Affected Products
- ChurchCRM versions prior to 7.0.2
- ChurchCRM church management system (all installations running vulnerable versions)
Discovery Timeline
- 2026-03-20 - CVE CVE-2026-32880 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-32880
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw resides in ChurchCRM's handling of JSON-type system settings within SystemSettings.php. When an administrator modifies these settings, the application fails to properly escape or sanitize user-supplied input before storing it in the database and rendering it back to the browser.
The attack requires an authenticated user with administrative privileges to exploit, but once malicious JavaScript is stored, it will execute in the browser context of any administrator who subsequently views the system settings page. This creates a persistent (stored) XSS condition that can affect multiple users over time.
Root Cause
The root cause of this vulnerability is improper input validation and output encoding in the SystemSettings.php file. The application directly stores and renders JSON input from administrative users without implementing proper sanitization or escaping mechanisms. This allows JavaScript code embedded within JSON values to be interpreted and executed by the browser when the settings page is rendered.
Attack Vector
The attack vector is network-based, requiring the attacker to have high-level privileges (administrator access) to the ChurchCRM application. The exploitation path involves:
- An attacker with admin credentials accesses the system settings interface
- The attacker modifies a JSON-type system setting to include a malicious JavaScript payload
- The payload is stored in the database without sanitization
- When any administrator navigates to view the system settings, the malicious script executes in their browser context
- The attacker can then steal session cookies, perform actions as the victim administrator, or inject additional malicious content
The vulnerability requires user interaction from the victim (viewing the system settings page) for successful exploitation. For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2026-32880
Indicators of Compromise
- Unexpected JavaScript code or <script> tags present in JSON system settings values
- Unusual modifications to system settings by admin accounts
- Browser developer console showing execution of unexpected scripts on the system settings page
- Session anomalies or unauthorized administrative actions following settings page visits
Detection Strategies
- Review ChurchCRM system settings database entries for suspicious JavaScript patterns or HTML tags embedded in JSON values
- Implement web application firewall (WAF) rules to detect XSS payloads in POST requests to system settings endpoints
- Monitor application logs for unusual modifications to JSON-type system settings
- Deploy browser-based XSS detection mechanisms that can identify malicious script execution
Monitoring Recommendations
- Enable detailed logging for all administrative actions within ChurchCRM, particularly system settings modifications
- Implement Content Security Policy (CSP) headers to restrict inline script execution
- Set up alerts for any changes to critical system configuration settings
- Regularly audit administrative user accounts and their recent activity
How to Mitigate CVE-2026-32880
Immediate Actions Required
- Upgrade ChurchCRM to version 7.0.2 or later immediately
- Audit all JSON-type system settings for any suspicious content or embedded JavaScript
- Review administrative user accounts and remove any that are unnecessary or compromised
- Implement additional access controls to limit which administrators can modify system settings
Patch Information
The vulnerability has been addressed in ChurchCRM version 7.0.2. Organizations should upgrade to this version or later to remediate the vulnerability. The fix implements proper input sanitization and output encoding for JSON-type system settings in SystemSettings.php.
For official patch details and release notes, refer to the ChurchCRM GitHub Security Advisory.
Workarounds
- Restrict administrative access to only essential trusted personnel until patching is complete
- Implement a Web Application Firewall (WAF) with XSS protection rules in front of the ChurchCRM application
- Deploy Content Security Policy headers to mitigate the impact of any XSS exploitation
- Consider temporarily disabling the ability to edit JSON-type system settings if operationally feasible
# Example: Add Content Security Policy header in Apache configuration
# Add to .htaccess or virtual host configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
