ChurchCRM is an open-source church management system. Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in ChurchCRM within the Person Pr…

ChurchCRM, an open-source church management system, contains a stored cross-site scripting (XSS) vulnerability in versions prior to 7.0.0. The vulnerability exists in the Person Property Management subsystem and allows authenticated users to inject arbitrary JavaScript code via dynamically assigned person properties. This issue persists even in versions patched for CVE-2023-38766. The malicious payload is stored persistently and executes when other users view affected person profiles or access printable views, potentially leading to session hijacking or full account compromise. The vulnerability has been fixed in version 7.0.0.