CVE-2025-0687: Spiritual Gifts Survey <= 0.9.10 - Unauthenticated CSRF to XSS

Description

The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.

Classification

CVE ID: CVE-2025-0687

Problem Types

CWE-79 Cross-Site Scripting (XSS) CWE-352 Cross-Site Request Forgery (CSRF)

Affected Products

Vendor: Unknown

Product: Spiritual Gifts Survey (and optional S.H.A.P.E survey)

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 15.38% (scored less or equal to compared to others)

EPSS Date: 2025-06-04 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-0687
https://wpscan.com/vulnerability/3c1e21e1-32f2-4a20-9262-80e1cdab534d/

Timeline

2025-05-15 21:40:24 UTC
CVE

Spiritual Gifts Survey <= 0.9.10 - Unauthenticated CSRF to XSS