CVE-2025-13962 identifies a stored cross-site scripting vulnerability in the Divelogs Widget plugin for WordPress, specifically affecting all versions up to and including 1.5. The vulnerability stems from insufficient sanitization and escaping of user-supplied input in the 'latestdive' shortcode, which is used to display recent dive logs. Because the plugin fails to properly neutralize input, an authenticated user with contributor-level privileges or higher can inject arbitrary JavaScript code into pages generated by the plugin. This malicious script is stored persistently and executes in the browsers of any users who visit the compromised page, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The vulnerability requires authentication but no user interaction beyond visiting the affected page. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and partial confidentiality and integrity impact but no availability impact. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is classified under CWE-79, highlighting improper neutralization of input during web page generation. Given WordPress's widespread use and the plugin's niche focus on dive logs, the attack surface is limited to sites using this plugin and having contributor-level users. However, the stored nature of the XSS increases risk as injected scripts persist and affect multiple users over time.

The primary impact of this vulnerability is the compromise of confidentiality and integrity for users visiting affected pages. Attackers can execute arbitrary scripts in the context of the vulnerable site, potentially stealing session cookies, performing actions on behalf of users, or delivering further malware. This can lead to account takeover, defacement, or broader compromise of the WordPress site. Since the vulnerability requires contributor-level authentication, the risk is higher in environments where multiple users have such privileges, including collaborative blogs or community sites. The persistent nature of the stored XSS means that once exploited, many users can be affected over time. Although availability is not impacted, the reputational damage and potential data breaches can be significant. Organizations relying on this plugin without mitigation expose themselves to targeted attacks, especially if attackers gain contributor access through social engineering or credential compromise.

Organizations should immediately audit their WordPress installations for the presence of the Divelogs Widget plugin and verify the version in use. Since no official patch links are provided, administrators should consider disabling or removing the plugin until a fixed version is released. Restrict contributor-level access strictly to trusted users and review user roles to minimize the number of accounts with such privileges. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'latestdive' shortcode. Employ Content Security Policy (CSP) headers to limit the impact of any injected scripts. Regularly monitor logs and user activity for signs of exploitation attempts. Additionally, site owners can sanitize inputs manually or use security plugins that enforce stricter input validation. Educate users with contributor access about phishing and credential security to reduce the risk of unauthorized access. Finally, stay alert for official patches or updates from the plugin vendor and apply them promptly once available.