Divelogs Widget Security & Risk Analysis
wordpress.org/plugins/divelogs-widgetDisplays your latest dive from divelogs.de in a widget
Is Divelogs Widget Safe to Use in 2026?
Generally Safe
Score 99/100Divelogs Widget has a strong security track record. Known vulnerabilities have been patched promptly.
The divelogs-widget plugin, version 1.6, presents a mixed security posture. On the positive side, the code analysis reveals a lack of dangerous functions, no raw SQL queries, and a high percentage of properly escaped output. The absence of file operations and external HTTP requests, along with a limited attack surface comprised solely of one shortcode with no explicit authentication checks indicated, are also good signs. Taint analysis shows no identified vulnerabilities, suggesting that data flows within the plugin are handled cautiously.
However, several areas raise concerns. The presence of a medium severity Cross-Site Scripting (XSS) vulnerability in its history, even though currently patched, is a significant flag. The lack of nonce checks and capability checks on any identified entry points, particularly the shortcode, creates a potential weakness. This means that even if the output is generally escaped, the plugin doesn't actively verify if the user interacting with the shortcode is authorized or if the request is legitimate, leaving it susceptible to specific types of attacks if an input vector exists.
In conclusion, while divelogs-widget has adopted some good security practices like prepared statements and output escaping, the historical XSS vulnerability and the absence of crucial security checks like nonces and capability checks on its attack surface represent notable risks that warrant attention for a more robust security posture.
Key Concerns
- Medium severity XSS vulnerability in history
- No nonce checks on entry points
- No capability checks on entry points
Divelogs Widget Security Vulnerabilities
CVEs by Year
Severity Breakdown
1 total CVE
Divelogs Widget <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Divelogs Widget Code Analysis
Output Escaping
Divelogs Widget Attack Surface
Shortcodes 1
WordPress Hooks 1
Maintenance & Trust
Divelogs Widget Maintenance & Trust
Maintenance Signals
Community Trust
Divelogs Widget Alternatives
Nautilus Trips
nautilus-trips
List, Display, and Book Nautilus Liveaboards scuba diving trips directly on your website. Nautilus Dealer account required.
Dive Admin
dive-admin
DiveAdmin.com is a software solution for dive schools and diving centers.
Diving Calculators
diving-calculators
Widget for scuba diving calculators
Visitor Check-In/Check-Out Logbook – WordPress Visitor Management
office-visits-logbook
Your company is still using paper log sheets for office visitors? Everything is digital and paperless now. Being paperless can also save trees and pro …
Scuba Logger
scuba-logger
This plugin turns a wordpress blog into an interactive online scuba dive log.
Divelogs Widget Developer Profile
2 plugins · 30 total installs
How We Detect Divelogs Widget
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/divelogs-widget/divelogs-widget.phpHTML / DOM Fingerprints
divelogs-widgetid="divelogs_widget"<script src="https://divelogs.org/mylatestdivebig.php<script src="https://www.divelogs.de/mylatestdivebig.php<script src="https://fr.divelogs.de/mylatestdivebig.php<script src="https://nl.divelogs.de/mylatestdivebig.php