CVE-2025-13072

The HandL UTM Grabber / Tracker WordPress plugin versions prior to 2.8.1 contain a reflected cross-site scripting (XSS) vulnerability. The flaw arises because the plugin fails to sanitize and escape the utm_source parameter before outputting it back in the page, allowing arbitrary HTML and JavaScript injection [1].

Exploitation requires a high-privilege user, such as an admin, to be tricked into clicking a crafted link. The attacker does not need prior authentication or special network access, as the malicious URL can be delivered via social engineering or hosted on a related site. The attack surface is limited to reflected XSS, which triggers only when the victim interacts with the crafted link [1].

Successful exploitation enables an attacker to execute arbitrary scripts in the context of the victim's browser session. This can lead to session hijacking, credential theft, or administrative actions performed on behalf of the compromised admin account, potentially resulting in full site takeover [1].

The vulnerability has been fixed in version 2.8.1. Users are strongly recommended for all users. No workaround or patch other than updating the plugin is available [1].