CVE-2025-0687: CWE-79 Cross-Site Scripting (XSS) in Spiritual Gifts Survey (and optional S.H.A.P.E survey)
The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
AI Analysis
Technical Summary
CVE-2025-0687 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin, affecting versions up to 0.9.10. The vulnerability arises because the plugin fails to properly sanitize and escape user-supplied input parameters before reflecting them back in the webpage output. This improper handling allows an attacker to inject malicious JavaScript code that executes in the context of the victim's browser. The vulnerability specifically targets unauthenticated users, meaning that attackers can exploit it without needing to log in or have any privileges on the WordPress site. The CVSS v3.1 base score is 6.1 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), and impacts on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). The reflected XSS can be leveraged to steal session cookies, perform actions on behalf of users, or redirect users to malicious websites. Although no known exploits are currently reported in the wild, the vulnerability poses a tangible risk to sites using this plugin. The plugin is used within WordPress environments, which are widely deployed for content management, including by organizations with public-facing websites. The lack of a patch link indicates that a fix may not yet be available, emphasizing the need for mitigation steps. CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-352 (Cross-Site Request Forgery) tags suggest that the vulnerability may also be related to insufficient request validation, increasing the risk of exploitation.
Potential Impact
For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive information, such as session tokens or personal data, through the execution of malicious scripts in users' browsers. This can result in account hijacking, phishing attacks, or unauthorized actions performed on behalf of users. Public-facing websites using the affected plugin may suffer reputational damage and potential regulatory consequences under GDPR if personal data is compromised. The reflected XSS affects unauthenticated users, which broadens the attack surface, especially for organizations with high visitor traffic. Additionally, the scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the vulnerable component, potentially impacting other parts of the web application or user sessions. Although the vulnerability does not directly affect availability, the indirect consequences of exploitation, such as defacement or redirection, can disrupt user trust and service continuity. European organizations relying on WordPress plugins for surveys or community engagement should be particularly cautious, as attackers may exploit this vulnerability to target users or gather intelligence for further attacks.
Mitigation Recommendations
1. Immediate mitigation should include disabling or removing the Spiritual Gifts Survey (and optional S.H.A.P.E survey) plugin until a security patch is released. 2. Implement Web Application Firewall (WAF) rules that detect and block reflected XSS attack patterns targeting the plugin's parameters. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers, mitigating the impact of injected code. 4. Conduct thorough input validation and output encoding on all user-supplied data within the web application, especially for parameters handled by the plugin. 5. Monitor web server and application logs for unusual request patterns that may indicate exploitation attempts. 6. Educate web administrators and developers about the risks of reflected XSS and the importance of secure coding practices. 7. Once available, promptly apply official patches or updates from the plugin vendor. 8. Consider isolating or sandboxing the plugin's functionality to limit the scope of potential attacks. 9. For organizations with high-risk profiles, perform penetration testing focusing on XSS vulnerabilities in WordPress plugins to identify and remediate similar issues proactively.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Poland
CVE-2025-0687: CWE-79 Cross-Site Scripting (XSS) in Spiritual Gifts Survey (and optional S.H.A.P.E survey)
Description
The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
AI-Powered Analysis
Technical Analysis
CVE-2025-0687 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin, affecting versions up to 0.9.10. The vulnerability arises because the plugin fails to properly sanitize and escape user-supplied input parameters before reflecting them back in the webpage output. This improper handling allows an attacker to inject malicious JavaScript code that executes in the context of the victim's browser. The vulnerability specifically targets unauthenticated users, meaning that attackers can exploit it without needing to log in or have any privileges on the WordPress site. The CVSS v3.1 base score is 6.1 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), and impacts on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). The reflected XSS can be leveraged to steal session cookies, perform actions on behalf of users, or redirect users to malicious websites. Although no known exploits are currently reported in the wild, the vulnerability poses a tangible risk to sites using this plugin. The plugin is used within WordPress environments, which are widely deployed for content management, including by organizations with public-facing websites. The lack of a patch link indicates that a fix may not yet be available, emphasizing the need for mitigation steps. CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-352 (Cross-Site Request Forgery) tags suggest that the vulnerability may also be related to insufficient request validation, increasing the risk of exploitation.
Potential Impact
For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive information, such as session tokens or personal data, through the execution of malicious scripts in users' browsers. This can result in account hijacking, phishing attacks, or unauthorized actions performed on behalf of users. Public-facing websites using the affected plugin may suffer reputational damage and potential regulatory consequences under GDPR if personal data is compromised. The reflected XSS affects unauthenticated users, which broadens the attack surface, especially for organizations with high visitor traffic. Additionally, the scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the vulnerable component, potentially impacting other parts of the web application or user sessions. Although the vulnerability does not directly affect availability, the indirect consequences of exploitation, such as defacement or redirection, can disrupt user trust and service continuity. European organizations relying on WordPress plugins for surveys or community engagement should be particularly cautious, as attackers may exploit this vulnerability to target users or gather intelligence for further attacks.
Mitigation Recommendations
1. Immediate mitigation should include disabling or removing the Spiritual Gifts Survey (and optional S.H.A.P.E survey) plugin until a security patch is released. 2. Implement Web Application Firewall (WAF) rules that detect and block reflected XSS attack patterns targeting the plugin's parameters. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers, mitigating the impact of injected code. 4. Conduct thorough input validation and output encoding on all user-supplied data within the web application, especially for parameters handled by the plugin. 5. Monitor web server and application logs for unusual request patterns that may indicate exploitation attempts. 6. Educate web administrators and developers about the risks of reflected XSS and the importance of secure coding practices. 7. Once available, promptly apply official patches or updates from the plugin vendor. 8. Consider isolating or sandboxing the plugin's functionality to limit the scope of potential attacks. 9. For organizations with high-risk profiles, perform penetration testing focusing on XSS vulnerabilities in WordPress plugins to identify and remediate similar issues proactively.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- WPScan
- Date Reserved
- 2025-01-23T19:45:19.403Z
- Cisa Enriched
- false
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0fa1484d88663aec2b0
Added to database: 5/20/2025, 6:59:06 PM
Last enriched: 7/11/2025, 12:34:22 PM
Last updated: 8/6/2025, 12:15:33 AM
Views: 15
Related Threats
CVE-2025-55284: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in anthropics claude-code
HighCVE-2025-55286: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in vancluever z2d
HighCVE-2025-52621: CWE-346 Origin Validation Error in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52620: CWE-20 Improper Input Validation in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52619: CWE-209 Generation of Error Message Containing Sensitive Information in HCL Software BigFix SaaS Remediate
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.