CVE-2025-13962 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Divelogs Widget plugin for WordPress, specifically in the 'latestdive' shortcode functionality. The vulnerability arises from insufficient sanitization and escaping of user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on their behalf. The vulnerability affects all versions up to and including 1.5 of the plugin. The CVSS 3.1 base score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, requiring privileges (authenticated contributor or higher), no user interaction, and a scope change due to affecting other users. While no public exploits are currently known, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors and public-facing content. The lack of available patches at the time of publication necessitates immediate mitigation steps to reduce risk.

For European organizations, this vulnerability can lead to unauthorized script execution in the context of trusted websites, risking user session hijacking, data theft, defacement, or distribution of malware. Organizations relying on WordPress sites with multiple contributors are particularly vulnerable, as attackers need only contributor-level access to exploit the flaw. This can undermine user trust, lead to regulatory non-compliance (e.g., GDPR breaches if personal data is compromised), and cause reputational damage. The scope change means that the impact extends beyond the attacker’s own privileges, affecting all users who view the compromised pages. Given the widespread use of WordPress across Europe, especially in small and medium enterprises and public sector websites, the threat is significant. The absence of known exploits currently reduces immediate risk but does not eliminate the potential for future attacks.

European organizations should immediately audit their WordPress installations for the presence of the Divelogs Widget plugin and verify the version in use. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate the attack surface. If removal is not feasible, restrict contributor-level access strictly and monitor for suspicious shortcode usage or unexpected content injections. Implement Web Application Firewalls (WAFs) with custom rules to detect and block malicious script payloads in shortcode parameters. Additionally, enforce Content Security Policy (CSP) headers to limit script execution sources and reduce the impact of potential XSS. Regularly review user permissions and conduct security awareness training for contributors to prevent misuse. Finally, stay updated with vendor advisories for patch releases and apply them promptly once available.