CVE-2025-0688
📋 TL;DR
This vulnerability allows attackers to execute malicious JavaScript in victims' browsers by tricking them into clicking specially crafted links. Only unauthenticated users visiting WordPress sites with the vulnerable Spiritual Gifts Survey plugin are affected.
💻 Affected Systems
- Spiritual Gifts Survey WordPress plugin
- S.H.A.P.E survey WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, or perform actions on behalf of the user, potentially leading to account compromise or data theft.
Likely Case
Attackers would typically use this to steal session cookies or display phishing content to unauthenticated visitors.
If Mitigated
With proper input validation and output encoding, the vulnerability would be prevented entirely.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly exploited and require minimal technical skill. The WPScan reference includes technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.9.11 or later
Vendor Advisory: https://wpscan.com/vulnerability/1e2b77c3-ad45-4734-998a-c1722ebd1f4f/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find 'Spiritual Gifts Survey' and/or 'S.H.A.P.E survey'. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugins
allTemporarily disable the affected plugins until patched
Implement WAF rules
allAdd web application firewall rules to block XSS payloads in query parameters
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Use browser security extensions that block reflected XSS attacks
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins for 'Spiritual Gifts Survey' or 'S.H.A.P.E survey' version 0.9.10 or earlierCheck Version:
wp plugin list --name='spiritual-gifts-survey' --field=version (if WP-CLI installed)Verify Fix Applied:
Verify plugin version is 0.9.11 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual query parameters containing script tags or JavaScript in web server logs
- Multiple failed XSS attempts from same IP
Network Indicators:
- HTTP requests with suspicious parameters containing <script> tags or JavaScript functions
SIEM Query:
source="web_server_logs" AND ("<script" OR "javascript:" OR "onerror=" OR "onload=") AND uri_path="/wp-content/plugins/spiritual-gifts-survey/"