Stored Cross-Site Scripting in Divelogs Widget Plugin for WordPress
CVE-2025-13962

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Divelogs Widget
Vendor: CVE Published:; 12 December 2025

What is CVE-2025-13962?

The Divelogs Widget for WordPress is exposed to vulnerabilities due to inadequate input sanitization and output escaping for the 'latestdive' shortcode. This risk allows authenticated users with contributor-level access or higher to inject harmful scripts into pages, which execute when other users view the compromised content. Affected versions include all up to and including 1.5, necessitating immediate attention for updates and patches to mitigate potential exploitation.

Affected Version(s)

Divelogs Widget * <= 1.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/divelogs-widge...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2025
Vulnerability Reserved
Dec 3, 2025

Credit

Gilang Asra Bilhadi

JSON