HandL UTM Grabber / Tracker < 2.8.1 – Reflected XSS via utm_source | CVE 2025-13072 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Proof of Concept

1. Create a post (as contributor) with the vulnerable shortcode [utm_source] and get its URL.
2. Visit the URL with an XSS payload appended in the utm_source parameter: http://example.com/handl-xss?utm_source=%253Cscript%253Ealert(document.cookie)%253C%252Fscript%253E

Affects Plugins

handl-utm-grabber

Fixed in 2.8.1

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Alex Tselevich (nos3curity)

Submitter

Alex Tselevich (nos3curity)

Submitter website

https://nosecurity.blog

Submitter twitter

Verified

Yes

WPVDB ID

e3795f29-b886-4b92-a7d6-5f5afd7090aa

Timeline

Publicly Published

2025-11-19 (about 1 month ago)

Added

2025-11-19 (about 1 month ago)

Last Updated

2025-11-19 (about 1 month ago)

Other

Published

Title

Published

2023-06-20

Title

Contact Form by WPForms < 1.8.1.3 - Reflected XSS

Published

2024-11-03

Title

Planning Center Online Giving <= 1.0.0 - Contributor+ XSS via Shortcode

Published

2025-10-21

Title

Cookie Notice & Compliance for GDPR / CCPA < 2.5.9 - Author+ Stored XSS

Published

2022-06-14

Title

WordPress Real Cookie Banner < 2.18.2 - Reflected Cross-Site Scripting

Published

2020-12-12

Title

Directories Pro < 1.3.46 - Authenticated Self-Reflected Cross-Site Scripting