Description
The Divelogs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'latestdive' shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-12-12
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated Stored XSS
Action: Apply Patch
AI Analysis

Impact

The Divelogs Widget plugin allows a stored cross‑site scripting flaw that is triggered via the latestdive shortcode. Unsanitized and unescaped user‑supplied attributes let an attacker insert arbitrary JavaScript, which will run automatically whenever a page containing the injected content is viewed. This can lead to session hijacking, credential theft, defacement, or the spread of malware to site visitors.

Affected Systems

WordPress sites running the Divelogs Widget plugin by Klemmkeil, versions up to and including 1.5. Users with contributor‑level or higher access can exploit the flaw because it is triggered by content supplied by authenticated contributors.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity with potential for high impact to confidentiality and integrity if an attacker succeeds. The EPSS score is less than 1%, suggesting that the likelihood of exploitation in the near term is low, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, any site with contributors who potentially wish to inject malicious code can execute arbitrary scripts, making the vulnerability attractive to attackers. The attack vector is an authenticated user inserting malicious shortcode attributes into a post or page, which is then stored in the database and executed on every request to that page.

Generated by OpenCVE AI on April 21, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Divelogs Widget plugin to the latest available version that is not affected (any version newer than 1.5 if released).
  • If an update is not immediately possible, restrict contributor roles from editing or adding shortcodes that accept user input, or remove the latestdive shortcode from all pages.
  • Configure a web application firewall or use a content‑security‑policy to block the execution of unexpected scripts on pages that contain the shortcode.

Generated by OpenCVE AI on April 21, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Divelogs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'latestdive' shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Divelogs Widget <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:23:33.797Z

Reserved: 2025-12-03T14:53:00.891Z

Link: CVE-2025-13962

cve-icon Vulnrichment

Updated: 2025-12-12T18:35:27.760Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T04:15:44.297

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13962

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:30:37Z

Weaknesses