CVE-2026-35534 Overview
A stored cross-site scripting (XSS) vulnerability has been identified in ChurchCRM, an open-source church management system. The vulnerability exists in PersonView.php due to incorrect use of the sanitizeText() function as an output sanitizer for HTML attribute context. This function only strips HTML tags but does not escape quote characters, allowing attackers to break out of the href attribute and inject arbitrary JavaScript event handlers.
Critical Impact
Any authenticated user with the EditRecords role can store a malicious payload in a person's Facebook field. The XSS fires against any user who views that person's profile page, including administrators, enabling session hijacking and full account takeover.
Affected Products
- ChurchCRM versions prior to 7.1.0
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-35534 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-35534
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The root issue lies in the misuse of the sanitizeText() function within the PersonView.php file. While this function was intended to sanitize user input, it only removes HTML tags and fails to properly escape special characters such as quote marks that are critical in HTML attribute contexts.
When user-supplied data containing the malicious payload is rendered in an HTML attribute (specifically the href attribute), an attacker can use quote characters to break out of the attribute context. This allows the injection of arbitrary JavaScript event handlers such as onclick, onmouseover, or similar DOM events that execute attacker-controlled JavaScript code.
The stored nature of this XSS makes it particularly dangerous. Once a malicious payload is stored in a person's Facebook field, it persists in the database and executes every time any user—including administrators with elevated privileges—views the affected profile page.
Root Cause
The root cause is the improper sanitization of user input in the PersonView.php file. The sanitizeText() function is designed to strip HTML tags but does not escape quotation marks or other special characters required for safe rendering within HTML attribute contexts. This oversight allows attackers to escape the intended attribute boundary and inject malicious JavaScript code.
Attack Vector
The attack is network-based and requires low privileges (EditRecords role) with user interaction required for exploitation. An authenticated attacker can:
- Navigate to a person's profile editing page
- Insert a crafted payload containing quote characters and JavaScript event handlers into the Facebook field
- Save the profile, storing the payload in the database
- Wait for any user (including administrators) to view the affected profile page
- When the victim views the page, the malicious JavaScript executes in their browser context
The cross-site scripting payload can be used to steal session cookies, perform actions on behalf of the victim, or redirect users to malicious sites. Since administrators can fall victim to this attack, it enables complete account takeover and potential compromise of the entire ChurchCRM installation.
Detection Methods for CVE-2026-35534
Indicators of Compromise
- Unusual JavaScript event handlers (e.g., onclick, onmouseover, onerror) stored in user profile fields such as the Facebook field
- Quote characters followed by event handler syntax in database records for person profiles
- Unexpected outbound requests from client browsers when viewing specific profile pages
- Session cookies being sent to external domains
Detection Strategies
- Review database entries in person profile fields for suspicious patterns containing quote escapes and JavaScript event handlers
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
- Monitor web application firewall (WAF) logs for XSS payloads in POST requests to profile update endpoints
- Audit user accounts with EditRecords permissions for suspicious activity
Monitoring Recommendations
- Enable logging for all profile field modifications and review for anomalous content
- Configure browser-based XSS protections and CSP violation reporting
- Monitor for unauthorized session activity that may indicate session hijacking
- Implement regular security scans of database content for stored XSS payloads
How to Mitigate CVE-2026-35534
Immediate Actions Required
- Upgrade ChurchCRM to version 7.1.0 or later immediately
- Audit existing person profile records for malicious payloads in the Facebook field and other user-editable fields
- Review access logs to identify any potential exploitation attempts
- Consider temporarily restricting the EditRecords role until the patch is applied
Patch Information
ChurchCRM has addressed this vulnerability in version 7.1.0. The fix properly escapes special characters including quotes when rendering user-supplied data in HTML attribute contexts. Organizations should upgrade to the latest version to remediate this vulnerability. For detailed information, see the GitHub Security Advisory.
Workarounds
- Restrict the EditRecords role to only trusted users until the patch can be applied
- Implement a Web Application Firewall (WAF) with XSS protection rules to filter malicious payloads
- Deploy Content Security Policy (CSP) headers to mitigate the impact of successful XSS attacks by blocking inline script execution
- Manually sanitize existing database entries by removing or encoding special characters in user profile fields
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
