CVE-2025-0688: Spiritual Gifts Survey <= 0.9.10 - Unauthenticated CSRF to XSS

Description

The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.

Classification

CVE ID: CVE-2025-0688

Problem Types

CWE-79 Cross-Site Scripting (XSS) CWE-352 Cross-Site Request Forgery (CSRF)

Affected Products

Vendor: Unknown

Product: Spiritual Gifts Survey (and optional S.H.A.P.E survey)

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 15.38% (scored less or equal to compared to others)

EPSS Date: 2025-06-04 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-0688
https://wpscan.com/vulnerability/1e2b77c3-ad45-4734-998a-c1722ebd1f4f/

Timeline

2025-05-15 21:40:24 UTC
CVE

Spiritual Gifts Survey <= 0.9.10 - Unauthenticated CSRF to XSS