Skip to main content

HandL UTM Grabber CVE-2026-57351

| EUVDEUVD-2026-41350 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-fjv9-x6j5-5cgw
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable unsanitized UTM input (AV:N/AC:L/PR:N) requires victim interaction (UI:R); reflected/stored script crosses into other sessions (S:C) with limited C/I/A impact typical of XSS.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:15 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in HandL UTM Grabber <= 2.9.2 versions.

AnalysisAI

Stored/reflected cross-site scripting in the HandL UTM Grabber WordPress plugin (versions 2.9.2 and earlier) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser after user interaction, per PR:N/UI:R in the CVSS vector. The scope-change flag (S:C) indicates injected script can affect resources beyond the vulnerable component, such as authenticated admin sessions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft UTM parameter with XSS payload
Delivery
Deliver malicious link via phishing
Exploit
Victim admin clicks link
Execution
Script executes in browser session
Impact
Hijack session or act as user

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to interact with an attacker-supplied link or page (UI:R), so a user - most impactfully an authenticated administrator - must be lured into visiting a crafted URL containing a malicious UTM parameter processed by the plugin. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.1 with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L - network-reachable, low complexity, no privileges required, but requiring user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to the target WordPress site with malicious JavaScript embedded in a UTM parameter and distributes it via phishing email, ad, or social media. When a victim - ideally a logged-in administrator - clicks the link, the unsanitized parameter is rendered and the script executes in their browser, potentially stealing the session cookie or performing actions on their behalf. …
Remediation No vendor-released patch version is identified in the available data - the input specifies affected versions <= 2.9.2 but does not name a fixed release; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/handl-utm-grabber/vulnerability/wordpress-handl-utm-grabber-plugin-2-9-2-cross-site-scripting-xss-vulnerability?_s_id=cve) for an updated version and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all WordPress installations running HandL UTM Grabber version 2.9.2 or earlier and immediately deactivate the plugin. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57351 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy