Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable unsanitized UTM input (AV:N/AC:L/PR:N) requires victim interaction (UI:R); reflected/stored script crosses into other sessions (S:C) with limited C/I/A impact typical of XSS.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in HandL UTM Grabber <= 2.9.2 versions.
AnalysisAI
Stored/reflected cross-site scripting in the HandL UTM Grabber WordPress plugin (versions 2.9.2 and earlier) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser after user interaction, per PR:N/UI:R in the CVSS vector. The scope-change flag (S:C) indicates injected script can affect resources beyond the vulnerable component, such as authenticated admin sessions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to interact with an attacker-supplied link or page (UI:R), so a user - most impactfully an authenticated administrator - must be lured into visiting a crafted URL containing a malicious UTM parameter processed by the plugin. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.1 with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L - network-reachable, low complexity, no privileges required, but requiring user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL to the target WordPress site with malicious JavaScript embedded in a UTM parameter and distributes it via phishing email, ad, or social media. When a victim - ideally a logged-in administrator - clicks the link, the unsanitized parameter is rendered and the script executes in their browser, potentially stealing the session cookie or performing actions on their behalf. … |
| Remediation | No vendor-released patch version is identified in the available data - the input specifies affected versions <= 2.9.2 but does not name a fixed release; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/handl-utm-grabber/vulnerability/wordpress-handl-utm-grabber-plugin-2-9-2-cross-site-scripting-xss-vulnerability?_s_id=cve) for an updated version and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all WordPress installations running HandL UTM Grabber version 2.9.2 or earlier and immediately deactivate the plugin. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Handl Utm Grabber
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41350
GHSA-fjv9-x6j5-5cgw