CVE-2026-39332 Overview
ChurchCRM is an open-source church management system. A reflected Cross-Site Scripting (XSS) vulnerability exists in GeoPage.php prior to version 7.1.0 that allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. The payload fires automatically via autofocus with no user interaction required, enabling attackers to steal session cookies and fully take over victim accounts, including administrator accounts, by tricking them into submitting a crafted form.
Critical Impact
Authenticated attackers can achieve full account takeover of any ChurchCRM user, including administrators, through session cookie theft via automatic XSS payload execution.
Affected Products
- ChurchCRM versions prior to 7.1.0
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-39332 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-39332
Vulnerability Analysis
This vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting). The reflected XSS flaw in GeoPage.php is particularly dangerous because it leverages the HTML autofocus attribute to trigger the malicious payload without requiring any additional user interaction beyond visiting the malicious link.
When an authenticated user visits a specially crafted URL or submits a form containing the malicious payload, the JavaScript code executes automatically in the context of their authenticated session. This provides the attacker with full access to the victim's session, enabling complete account takeover.
The vulnerability requires network access and the attacker must have low-privileged authenticated access to the ChurchCRM application. However, the scope is changed, meaning the vulnerability can impact resources beyond the vulnerable component's security scope—specifically, it can compromise other authenticated users' sessions including those with administrator privileges.
Root Cause
The root cause of this vulnerability is insufficient input validation and output encoding in the GeoPage.php component. User-supplied input is reflected back into the HTML response without proper sanitization, allowing malicious JavaScript to be injected and executed in the victim's browser context. The use of the autofocus attribute exacerbates the issue by ensuring the payload fires immediately without requiring user interaction such as clicking on an element.
Attack Vector
The attack is network-based and requires the attacker to craft a malicious URL or form that, when accessed by an authenticated victim, injects and executes arbitrary JavaScript. The exploitation flow typically involves:
- Attacker crafts a malicious URL containing XSS payload targeting GeoPage.php
- Attacker delivers the URL to victim via phishing, social engineering, or embedding in a webpage
- Victim clicks the link while authenticated to ChurchCRM
- The XSS payload executes automatically due to the autofocus attribute
- Attacker's JavaScript steals the session cookie and sends it to an attacker-controlled server
- Attacker uses the stolen session to impersonate the victim, including administrator accounts
The vulnerability manifests in the GeoPage.php file where user input is reflected without proper encoding. For technical implementation details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-39332
Indicators of Compromise
- Unusual outbound requests from user browsers to external domains while using ChurchCRM
- Session cookie values appearing in access logs or being sent to unauthorized endpoints
- Suspicious URL patterns in access logs containing encoded JavaScript or script tags targeting GeoPage.php
- Multiple session hijacking events or unexpected account access from different IP addresses
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block common XSS patterns in requests to GeoPage.php
- Monitor HTTP access logs for requests containing suspicious parameters such as <script>, onerror, onfocus, or autofocus in URL query strings
- Deploy Content Security Policy (CSP) headers to detect and report inline script execution attempts
- Utilize endpoint detection solutions to identify unusual browser behavior indicative of XSS exploitation
Monitoring Recommendations
- Enable detailed logging for all requests to the ChurchCRM application, particularly GeoPage.php
- Set up alerts for session anomalies such as concurrent sessions from geographically distant locations
- Monitor for CSP violation reports that may indicate XSS exploitation attempts
- Review authentication logs for signs of session hijacking or unauthorized administrative access
How to Mitigate CVE-2026-39332
Immediate Actions Required
- Upgrade ChurchCRM to version 7.1.0 or later immediately
- Review access logs for signs of exploitation targeting GeoPage.php
- Force logout all active sessions and require re-authentication after patching
- Implement Content Security Policy headers to mitigate impact of any unpatched XSS vulnerabilities
Patch Information
This vulnerability is fixed in ChurchCRM version 7.1.0. Organizations should upgrade to this version or later to remediate the vulnerability. The patch implements proper input validation and output encoding in GeoPage.php to prevent reflected XSS attacks. For detailed patch information, see the GitHub Security Advisory.
Workarounds
- If immediate patching is not possible, restrict access to ChurchCRM to trusted networks only
- Implement a Web Application Firewall with XSS detection rules to filter malicious requests
- Educate users about the risks of clicking on links from untrusted sources while authenticated to ChurchCRM
- Consider temporarily disabling or restricting access to GeoPage.php if it is not critical to operations
# Example: Add Content Security Policy header in Apache configuration
# This helps mitigate the impact of XSS attacks by restricting script execution
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
