CVE-2025-0687: 
WordPress vulnerability analysis and mitigation

CVE-2025-0687 is a Cross-Site Scripting (XSS) vulnerability discovered in the Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin versions through 0.9.10. The vulnerability was discovered by Hassan Khan Yusufzai and publicly disclosed on January 2, 2025 (WPScan).

The vulnerability stems from improper parameter sanitization and escaping in the plugin before outputting it back in the page. This results in a Reflected Cross-Site Scripting vulnerability that specifically affects unauthenticated users. The vulnerability has been assigned a CVSS score of 6.1 (medium severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD NIST).

The vulnerability allows attackers to execute malicious scripts in users' browsers when they visit specially crafted URLs. Since this is a reflected XSS vulnerability that affects unauthenticated users, it could potentially be used to steal session cookies, perform unauthorized actions on behalf of users, or manipulate the website's content as displayed to visitors (Wiz).

As of the current date, there is no known fix available for this vulnerability. Users of the Spiritual Gifts Survey WordPress plugin should consider implementing additional security measures or temporarily disabling the plugin until a patch is released (Wiz).