ChurchInfo does not properly validate and encode a HTTP GET parameter belonging to the "Delete property" function. The vulnerability can be found in the file PropertyDelete.php:
// Get the Type and Property $sType = $_GET["Type"]; $iPropertyID = FilterInput($_GET["PropertyID"],'int'); [...] <a href="PropertyList.php?Type=<?php echo $sType; ?>"><?php echo gettext("No, cancel this deletion"); ?></a>
Attack:
The following URL contains malicious code in the GET parameter. If it is requested by an (authenticated) user the response will contain the malicious code.
http://localhost/churchinfo/PropertyDelete.php?PropertyID=6&Type="> <script>alert("Hallelujah!");</script>
The exploit code first ends the link target (") and the link tag afterwards (>). Then arbitrary Javascript code can be injected.
To fix this bug, validate the user input and encode the ouput, see e.g. [2].
For example the function "FilterInput", which is used to filter user supplied input at many other parts of the code, can be used here.
[1] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
[2] https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet