6.5.1

🌟 Church CRM Version 6.5: Modernization, Security, and User Experience

We are excited to announce the release of Church CRM version 6.5.0. This is a major structural update focused on modernizing the user experience, removing legacy code, and significantly enhancing application security.

This release introduces visible UX improvements, but also crucial underlying changes that improve stability and set the stage for future development.

---

✨ Key Highlights of Version 6.5

📸 Major Photo and Avatar UX Improvements

The way photos and avatars are displayed has been completely modernized, resulting in a cleaner and faster experience.

• Client-Side Avatar Generation: User initial avatars are now generated directly in your web browser, speeding up page load times and reducing server load.
• Standardized Photo Display: Consistent camera icons are now used across all person and family tables for a unified look.
• New Lightbox View: Photos now open in a modern lightbox overlay for better viewing and consistent action buttons.

✂️ Removal of Legacy Features (eGive and Phone Fields)

To streamline the application and remove untested code, two features have been permanently removed:

• eGive Integration Removed: The legacy eGive integration and all related models, UI, and database schemas have been removed. This simplifies the database and removes an unused feature.
• Family Work/Cell Phone Fields Removed: The seldom-used fam_WorkPhone and fam_CellPhone fields have been removed from the database schema and all forms to simplify the family data structure.

🔒 Application Security & Hardening (High Level)

A major focus of this release was security, reinforcing the application against potential attacks.

• Critical Security Fixes: Multiple critical vulnerabilities, including SQL injection and stored XSS issues, have been addressed.
• Standardized Input Handling: The system now uses consistent and standardized methods for handling all user input and output, making the application much more resilient.

🌐 UI and System Modernization

• Improved Family Verification Page: The "Verify Family Info" page has been refactored for a modern look and better performance.
• Centralized Dropdowns: Legacy PHP dropdowns for fields like Country/State have been replaced with a centralized JavaScript manager for consistent and faster form loading in editors.
• Registration Link UX: Improved the user experience for the registration link on the login page.
• Database Cleanup: Six orphaned database tables were removed, and the core database schema was cleaned up.

---

💻 Behind the Scenes (For Developers & Admins)

• API Standardization: Family API routes now follow the correct singular/plural REST conventions (/api/family/{id}).
• Testing and Stability: We added many new Cypress tests for the API and UI (finance, search

Full Changelog: 6.4.0...6.5.1

6.4.0

🚀 Church CRM Version 6.4.0: Security, Stability, and API Modernization

We are pleased to announce the release of Church CRM version 6.4.0, a maintenance update focused on enhancing the platform's security, modernizing its internal API structure, and resolving key stability issues.

While this release contains fewer visible user features, the underlying security and stability improvements are vital for the health and performance of your CRM instance.

---

🛡️ Important Security & Stability Updates

1. Critical Security Enhancements (Recommended Update)

This release continues our focus on application security, addressing potential vulnerabilities at the system level.

• CSRF Protection for Logs: Added Cross-Site Request Forgery (CSRF) protection to log management endpoints, preventing unauthorized actions against your system logs.
• Comprehensive URL Validation: Implemented robust URL validation for Config.php settings to prevent potential misconfigurations or injection risks.
• API Security & Consistency: Began a refactoring process to replace direct, less-secure AJAX calls with a standardized AdminAPIRequest wrapper, improving how sensitive administrative data is handled.

2. Core System Fixes

• Custom Field Fatal Error: Fixed a critical bug that caused a fatal error when attempting to delete a person's custom field. This restores reliable administrative function for managing your data fields.
• Upgrade Check Fix: Corrected an issue where the system update check incorrectly indicated an upgrade was available even when you were already running the current version.

---

✨ API Modernization and Developer Improvements

This release is a major step toward modernizing the core architecture of Church CRM, ensuring better security and easier future development.

• API Service Refactoring: The core API service has been upgraded and refactored for better performance and consistency.
• Admin API Consolidation: System configuration endpoints were moved to a dedicated, more secure path: from /api/system to /admin/api/system.
• Debugging Tools: Added comprehensive logging for sha1_file() failures to assist with diagnosing file integrity and upgrade issues.

---

🌍 Localization & Reporting

• Setup Locale Detection: Implemented locale detection in the setup wizard and debug page to ensure a smoother, localized start for new installations.
• Improved Confirmation Report: Minor layout improvements were made to the confirmation report for better readability.

Full Changelog: 6.3.0...6.4.0

6.3.0

🚨 Critical Security and Feature Update: Church CRM Version 6.3.0 🚨

A major new release of Church CRM is now available. This update includes several significant user experience improvements and, most importantly, addresses a large number of critical security vulnerabilities. We strongly recommend all users upgrade to 6.3.0 immediately.

---

🛡️ CRITICAL SECURITY MANDATE: Update Immediately

This release contains extensive security fixes that are essential for protecting your data and users. Several vulnerabilities, including Cross-Site Scripting (XSS) and SQL Injection risks, have been patched.

Key Security Enhancements:

• Massive Vulnerability Patching: This release fixes numerous XSS vulnerabilities across multiple areas (CSV Import, Public Registration, Group names/descriptions, Calendar name, Family notes) and multiple SQL Injection vulnerabilities (in Event Editor, custom field editors, and other parameters).
• Enhanced Access Control: Fixes issues with broken access control in Kiosk Manager API endpoints.
• Password Security Upgrade: Implements an upgrade to the password hashing mechanism for improved user data protection.
• System Integrity & Redirects: New features for System File Integrity checks and a dedicated Security Redirect Page have been added to improve overall platform resilience.

Action Required: Due to the severity and volume of security patches, updating to Church CRM 6.3.0 is the highest priority.

---

✨ Exciting New Features & User Experience (UX) Improvements

Version 6.3.0 brings a host of updates designed to make daily administration faster, cleaner, and more intuitive.

📊 Dashboard & System Improvements

• New Finance Dashboard: A dedicated Finance Dashboard & Report Pages feature has been added to streamline financial oversight.
• Improved User Dashboard: The main dashboard is now more helpful with:
  • 14-Day Lookahead: See upcoming birthdays and anniversaries for the next two weeks.
  • Performance: Data checks and admin tasks have been moved to the dashboard for better performance.
• First-Time Setup Wizard: A new admin dashboard setup wizard simplifies first-time system configuration.
• Backup/Restore Improvements: Enhancements to the backup and restore functionality for greater reliability.

📝 Editor & Navigation Enhancements

• Modernized Editors (Family & Person): Significant UX improvements to the Family Editor and Person Editor pages, including better layout and updated Floating Action Buttons (FABs).
• Deposit Slip Navigation: Added previous/next navigation buttons to the Deposit Slip Editor for faster processing.
• Menu Speed and Clarity:
  • Faster Menus with Icons: Menu speed has been improved, and new icons are utilized for better visual recognition.
  • Accurate Menu Highlighting: Menu highlighting now accurately reflects the active page you are viewing.

📅 Events & System Administration

• Events UX Cleanup: The Events management area has been given a UX Clean and Simplification pass.
• System Administration Consolidation: Admin pages have been consolidated to a /admin/system path for easier access and management.

---

🐞 Notable Bug Fixes

While the focus is on security and new features, several functional bugs were also addressed:

• Fixes to issues impacting the Sunday School dashboard and group role management.
• Resolved missing variable extraction in the Advanced Deposit feature.

Full Changelog: 6.2.0...6.3.0

6.2.0

🚀 ChurchCRM Version 6.2.0 Release Notes

We are excited to announce the release of ChurchCRM v6.2.0! This update brings significant improvements to our Financial Reporting tools, several important bug fixes, and general system enhancements.

🎉 New Features & User Experience (UX) Enhancements

• Improved Financial Reporting: We have updated the user experience for the Financial Reports, making them easier to read and use.
• Enhanced Deposit Management:
  • Resolved an issue that could cause a 500 error when generating deposit PDFs.
  • The system now preserves your filter settings in the Advanced Deposit screen after you apply them.
• New Demo Data Import Tool: An official feature has been added to import demo data, making it easier for new users to test and explore the system.

🪲 Key Bug Fixes

• Fixed Duplicate Editor Toolbar: Resolved an issue where the Quill editor (used in various text areas) was sometimes displaying two duplicate toolbars (Fixes issue #7641).
• Corrected Slim 4 Middleware: Fixed an issue with the execution order of Slim 4 middleware to ensure correct application flow and JSON error handling.
• Google Photos Support Removed: Google Photos integration has been removed due to API changes and maintenance challenges.

🛠️ System Improvements & Refactoring

• System Logs Relocated: The System Logs UI has been moved to a dedicated section under the Admin views for better organization.
• System Upgrade Route Consolidated: The system upgrade route is now consistent, moving to /admin/system/upgrade.
• Internal Code Enhancements: Various internal code improvements were made for stability, including:
  • Building new file signatures for internal integrity.
  • Refactoring error handling into a centralized helper function.

🌍 Localization Updates

• We have included several recent updates to our localization files, ensuring that the CRM is correctly translated across all supported languages.

📦 Dependency Updates

• All dependent NPM packages have been updated to their latest stable versions for security and performance.

---

For a detailed list of all changes, please see the [Full Changelog](6.1.0...6.2.0).

6.1.0

ChurchCRM 6.1.0

🛑 Critical System Requirement: PHP 8.2+

This release requires PHP 8.2 or higher. If you are currently running PHP 8.1 or lower, the application will not function after the upgrade is complete until your PHP version is updated.

Please ensure your hosting environment meets this requirement before starting the upgrade process. For detailed environment specifications, visit the Application Platform Prerequisites.

---

🚀 Release Overview

ChurchCRM 6.1.0 is a minor maintenance release focusing on system stability, reliable update detection, and global localization efforts.

🛠️ System Stability & Maintenance

• Improved Update Detection: Resolved issues regarding version comparison logic and release sorting. This ensures the system accurately identifies and notifies administrators of the latest available updates.

🌍 Localization

• Locale Updates: Integrated the latest community translations and language packs from the POEditor platform to improve support for our global users.

---

Full Changelog: 6.0.2...6.1.0

6.0.2

ChurchCRM 6.0.2

🛑 Critical System Requirement: PHP 8.2+

This release requires PHP 8.2 or higher. If you are currently running PHP 8.1 or lower, the application will not function after the upgrade is complete until your PHP version is updated. Please verify that your hosting environment meets this requirement before starting the upgrade process. For more details, see our Application Platform Prerequisites.

---

🚀 What's Changed

This is a maintenance and bug fix release for the 6.0.x series, focusing on editor improvements, security dependency updates, and localization.

🪲 Bug Fixes

• Deposit Slip Editor: Enhanced UX and added fund filtering for a better administrative experience. (By @DawoudIO in #7616)
• UI Compatibility: Fixed Bootstrap 4.6.2 compatibility issues specifically within the deposit slip editor. (By @Copilot in #7617)

🌍 Localization

• Updated language locales via POEditor (2025-11-20).

🛡️ Security & Dependencies

• Updated js-yaml and glob (from 10.4.5 to 10.5.0) to ensure environment stability.

🔧 Other Improvements

• Automated Release: Initialized 6.0.2 release workflows.
• Testing Infrastructure: Refactored Cypress login to use modern session-based authentication for more reliable testing. (By @DawoudIO in #7601)

Full Changelog: 6.0.1...6.0.2

6.0.1

⚠️ IMPORTANT: PHP 8.2+ REQUIRED for ChurchCRM 6.0.0 ⚠️

This release requires PHP 8.2 or higher. If you are currently running PHP 8.1 or lower, the application will not work after the upgrade is complete until your PHP version is updated. Please ensure your hosting environment meets this requirement before starting the upgrade process.

---

🚀 ChurchCRM 6.0.1 Release Notes

We're excited to announce ChurchCRM 6.0.x, a significant update focusing on modernizing the user interface, improving performance, and bolstering security. This release includes major updates to underlying libraries and introduces a cleaner, more responsive user experience across many pages.

✨ New Features and UI Modernization

This release focuses heavily on updating the look and feel of the CRM, migrating away from older styles to modern Bootstrap 4.6.2 standards for a more consistent and professional interface.

• Modernized Photo Handling: The outdated thumbnail system has been removed and replaced with a modern photo handling approach.
• Redesigned Key Pages:
  • Family Registration has a completely new look.
  • The Setup and System Upgrade wizards now use cleaner card and stepper layouts for an enhanced user experience (UX).
  • Person List, Sunday School, and Family pages have been updated to the new Bootstrap 4.6.2 styling with improved layouts and color-coded buttons.
• Improved User Experience:
  • Standardized email dropdown buttons across dashboard files.
  • Improved user flow for Forgot Password and Password Reset pages.
  • Migrated the notification system from bootstrap-notify to the modern Notyf library.

---

🐛 Key Bug Fixes and Security

We've addressed several critical issues and vulnerabilities in this release.

• Security Patches:
  • Fixed Cross-Site Scripting (XSS) vulnerabilities in the custom menu system and the V2 cart.
  • Addressed a CSV injection vulnerability in financial reports.
• System Stability:
  • Fixed a 500 error that occurred on Slim endpoints when Config.php was missing.
  • Resolved issues with Slim routing in subdirectory installations.
  • Fixed a bug with the deposit slip that prevented payments without a family from showing.
  • Resolved a Javascript error with the Deposit Slip Editor Datatable.
  • Fixed database error handling to display clear error messages.
  • Improved prerequisite checks to test actual application functionality.

---

🛠️ Developer and Technical Updates

This section highlights major under-the-hood changes for system administrators and developers.

• PHP Requirement Increase: The minimum required PHP version is now 8.2. (See header for more details).
• Major Dependency Updates:
  • DataTables upgraded from 1.10.18 to 1.13.11, and relevant packages updated to 2.4.3.
  • Removed several unused and obsolete libraries like fastclick, pace.js, and bootstrap-show-password.
  • Removed jQuery UI completely, replacing the autocomplete feature in Checkin.php with Select2.
  • Bundled jQuery via Webpack.
  • Updated Chart.js configurations to v4 syntax.
• Modern Development Setup:
  • Added support for GitHub Codespaces and Dev Containers for instant development environments.
  • Added ESLint configuration for improved code quality.

---

🌐 Localization

• Multiple updates to locale files for improved internationalization (I18N).
• Implemented a Dynamic Locale Loading System to optimize how language files are loaded.

---

Need help with the upgrade process or have questions about the new features?

5.22.1

ChurchCRM 5.22.1

⚠️ Important Announcement: End of 5.x Series

This release marks the final update for the ChurchCRM 5.x.x version series. Our next major milestone, ChurchCRM 6.0, will introduce significant architectural improvements. Please be aware that version 6.x will require newer PHP and Database versions to function.

Action Required: Before upgrading to future releases, please review the Application Platform Prerequisites to ensure your server environment is compatible with the upcoming 6.x requirements.

---

🚀 What's Changed

This hotfix addresses critical routing and security reporting issues identified in the 5.22.0 release.

🪲 Bug Fixes

• Security Reporting: Moved the CSP report endpoint to the public API to allow for pre-login access. (By @DawoudIO in #7561)
• Routing Fix: Resolved subdirectory Slim routing issues to fix regressions from 5.22.0. (By @DawoudIO in #7558)

Full Changelog: 5.22.0...5.22.1

5.22.0

What's Changed

🎉 Exciting New Features

• Cart System Modernization - Summary by @DawoudIO in #7506
• UI/css consolidation by @DawoudIO in #7473
• ensure select2 UI matches bootstrap4 and fixed issues by @DawoudIO in #7482
• Complete CKEditor4 → Quill 2.0.3 migration with event form UX enhancements and CSS consolidation. by @DawoudIO in #7488
• API: Add null safety and make notification endpoint configurable by @DawoudIO in #7496
• UI: Modernize icon usage across the UI to be fully compatible with Font Awesome 6 by @DawoudIO in #7497
• UI: Family View Style Cleanup by @DawoudIO in #7498
• Replace jquery-photo-uploader with Uppy by @Copilot in #7501
• UI Cleanup for People Dashboard & Person List by @DawoudIO in #7504
• Modernize and enhance Group Management UI/UX by @DawoudIO in #7513
• Modernizes the Sunday School Dashboard and Class pages by @DawoudIO in #7514
• Remove redundant breadcrumbs and simplify dashboard UI by @DawoudIO in #7516
• Add dedicated Notes sections to Person and Family views by @Copilot in #7502
• Implement Site-wide Floating Action Buttons (FAB) by @DawoudIO in #7505
• Adds comprehensive AI coding agent documentation covering: by @DawoudIO in #7512

🪲 Bugs

• Fix Slim middleware ordering and error handling by @DawoudIO in #7494
• Fix: Add missing RoutingMiddleware to Slim 4 applications causing post-login 404 errors by @Copilot in #7480
• Fix: Group-specific properties not creating records when adding members to groups by @Copilot in #7439
• Bug: Financial type fix by @DawoudIO in #7492
• Bug: Fix timezone issue for all-day calendar events by @DawoudIO in #7515
• Fix DataTable UI Issues: Headers, Attributes, and Responsive Implementation by @DawoudIO in #7499

💬 Localization

• 🌍 POEditor Locale Update - 2025-11-01 by @github-actions[bot] in #7511

Security

• CSP - Security Hardening by @DawoudIO in #7471
• Implement configurable Content Security Policy (CSP) enforcement by @Copilot in #7413
• Fix SQL Injection Vulnerability in EditEventTypes.php (CVE-2025-1023) by @Copilot in #7424
• Fix CSRF vulnerability in password change endpoints by @Copilot in #7500
• Fix: Consume tokens after validation to prevent reuse by @DawoudIO in #7503

Inner Beauty

• starting 5.22.0 by @DawoudIO in #7468
• Strict type checking enabled by @DawoudIO in #7489
• Webpack improvements by @DawoudIO in #7366
• Build/simple cleanup by @DawoudIO in #7474
• Modernize React code: replace var with const/let and add missing key … by @DawoudIO in #7484
• Build/remove scss by @DawoudIO in #7472
• no need for an events.js by @DawoudIO in #7475
• Webpack usage for UI icons & Fonts by @DawoudIO in #7479
• Remove empty line at the beginning of index.php by @vitormattos in #7483
• UI/deprecated html by @DawoudIO in #7490
• Code: AuthService migration by @DawoudIO in #7491
• Consolidate Docker Infrastructure with Multi-Stage Builds and Profiles by @DawoudIO in #7485
• Remove empty index.html placeholder files by @DawoudIO in #7509
• Cleanup package config, routes, and test updates by @DawoudIO in #7495

👒 Dependencies

• [Snyk] Upgrade i18n from 0.15.1 to 0.15.2 by @DawoudIO in #7477
• [Snyk] Upgrade bootstrap-datepicker from 1.10.0 to 1.10.1 by @DawoudIO in #7476
• UI Package Cleanup by @DawoudIO in #7487

Full Changelog: 5.21.0...5.22.0

5.21.0

🎉 Exciting New Features

• Add Admin-only option to view and delete system logs by @Copilot in #7437
• Add admin task and management page for log file cleanup by @Copilot in #7410

🔑 Security

• App Bootstrap cleanup and security updates by @DawoudIO in #7461
• Security: Sanitize User Input in API Endpoints by @DawoudIO in #7467
• Fix CVE-2019-17205: Stored XSS vulnerability in deposit comments by @Copilot in #7431

🪲 Bugs

• Fix CSV import bug: correct inverted date validation logic in ParseDate function by @Copilot in #7440
• Fix Config.php writability check failing during initial setup by @Copilot in #7426
• Fix TypeError in AppIntegrityService::getIntegrityCheckMessage() after upgrade to 5.12.0 by @Copilot in #7425
• Fix: Birthday calendar filter to use proper integer comparison by @Copilot in #7429
• Fix logging timezone consistency by setting UTC default before bootstrap by @Copilot in #7412
• Fix missing directories in backup when bBackupExtraneousImages is False by @Copilot in #7418
• Fix backup database error by adding proper directory creation error handling by @Copilot in #7417
• Fix: Calendar deletion and access token update bugs by @Copilot in #7383

💬 Localization

• 5.20.0 POEditor Update - 2025-10-06 by @github-actions[bot] in #7385
• 5.19.0 POEditor Update - 2025-10-11 by @github-actions[bot] in #7393
• Locale: Better Scripts & KO Locale by @DawoudIO in #7397
• 🌍 POEditor Locale Update - Download KO-KR by @github-actions[bot] in #7399
• 🌍 POEditor Locale Update - 2025-10-12 by @github-actions[bot] in #7401
• Updated locale scripts by @DawoudIO in #7402
• 🌍 POEditor Locale Update - 2025-10-13 by @github-actions[bot] in #7453

Inner Beauty

• started 5.20.0 by @DawoudIO in #7395
• Fix unnecessary exception logging for public API authentication checks by @Copilot in #7415
• Slim MVC - Ensure all code is compatible with Slim v4 by @DawoudIO in #7465
• New DepositService - SQL to ORM by @DawoudIO in #7466
• Upgrade Cypress System and Test to match latest recommendations by @DawoudIO in #7384
• Docker cleanup / speed up by @DawoudIO in #7386
• Update build-test-package.yml to modern actions by @DawoudIO in #7398
• Cleanner e2e upgrade script with no manual changes by @DawoudIO in #7405
• cleanupLocalGit is not a needed via Grunt by @DawoudIO in #7407
• fixed 2 versions of cypress and upgraded to latest version by @DawoudIO in #7406
• remove babel as it is not used by @DawoudIO in #7408
• Build - Starting release 5.21.0 by @DawoudIO in #7444
• Potential fix for code scanning alert no. 142: Workflow does not contain permissions by @DawoudIO in #7459
• Potential fix for code scanning alert no. 139: Workflow does not contain permissions by @DawoudIO in #7460
• Move upgrade routines from SystemService to new VersionUtils utility class by @Copilot in #7414
• Slim cleanup by @DawoudIO in #7462
• Add missing PHP extension requirements for intl, bcmath, and sodium by @Copilot in #7394
• removed grunt-lineending by @DawoudIO in #7400
• Fix version detection error when already on latest release by @Copilot in #7411

Full Changelog: 5.19.0...5.21.0