CVE-2025-13073
BaseFortify
Publication date: 2025-12-10
Last updated on: 2025-12-12
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| handl | utm_grabber | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the HandL UTM Grabber / Tracker WordPress plugin versions before 2.8.1. It occurs because the plugin does not properly sanitize and escape a parameter before outputting it back on the page. This flaw leads to a Reflected Cross-Site Scripting (XSS) vulnerability, which means an attacker can inject malicious scripts that are executed in the context of the victim's browser, potentially targeting high privilege users such as administrators.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to execute malicious scripts in the browsers of high privilege users like administrators. This can lead to unauthorized actions, session hijacking, theft of sensitive information, or further compromise of the affected WordPress site.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the affected WordPress site for reflected Cross-Site Scripting (XSS) in the HandL UTM Grabber / Tracker plugin prior to version 2.8.1. One method is to create or identify a post containing the vulnerable shortcode [handl_landing_page], then visit the URL with an XSS payload appended to an arbitrary parameter, for example: http://example.com/handl-test-1/?nosecurity=""><script>alert(document.cookie)</script>. If the script executes, the vulnerability is present. There are no specific network commands provided, but manual testing via a browser or automated web vulnerability scanners targeting reflected XSS on the plugin's parameters can be used. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the HandL UTM Grabber / Tracker WordPress plugin to version 2.8.1 or later, where the issue is fixed by proper sanitization and escaping of parameters. Until the update can be applied, restrict access to high-privilege users and avoid clicking on suspicious URLs containing parameters that could exploit the vulnerability. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.