CVE-2025-13073
Description
The HandL UTM Grabber / Tracker WordPress plugin before 2.8.1 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reflected XSS in HandL UTM Grabber/Tracker before 2.8.1 allows high-privilege user compromise via unsanitized output.
The HandL UTM Grabber / Tracker WordPress plugin versions prior to 2.8.1 fail to sanitize and escape the handl_landing_page parameter before including it in output on the page. This flaw constitutes a reflected Cross-Site Scripting (XSS) vulnerability [1].
The vulnerability is triggered when a crafted URL containing malicious JavaScript in the handl_landing_page parameter is visited. No authentication is required to exploit the reflection, but successful exploitation against a high-privilege user such as an administrator is necessary for maximal impact. The attacker must induce the target user to click a specially crafted link [1].
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim’s browser session. This can lead to session hijacking, privilege escalation, or the unauthorized modification of site content if an administrator is compromised [1].
The vulnerability was publicly disclosed on 2025-11-19 and was fixed in version 2.8.1 of the plugin. Users are strongly advised to update to the latest version [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<2.8.1+ 1 more
- (no CPE)range: <2.8.1
- (no CPE)range: <2.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.