Description
Unauthenticated Cross Site Scripting (XSS) in HandL UTM Grabber <= 2.9.2 versions.
Published: 2026-07-02
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated Cross‑Site Scripting (XSS) vulnerabilities allow an attacker to inject arbitrary client‑side scripts into a WordPress site by exploiting insufficient input validation in the HandL UTM Grabber plugin. The flaw resides in the plugin’s input handling and is present in all releases up to and including version 2.9.2. An attacker can trigger script execution simply by accessing the plugin’s interface without needing to be logged in, potentially leading to theft of credentials, session hijacking, defacement, or phishing attacks on site visitors, which compromises confidentiality and integrity for users.

Affected Systems

WordPress installations that run the HandL UTM Grabber plugin by Haktan Suren on version 2.9.2 or any earlier release are affected. The problematic code resides in the plugin’s input handling, and the vulnerability is present in all releases up to and including 2.9.2.

Risk and Exploitability

The CVSS score of 7.1 reflects a high‑severity flaw. The EPSS score is not available, so the likelihood of exploitation remains uncertain; however, the lack of an authentication requirement means an attacker can access the vulnerable endpoint simply by hitting the plugin’s URL. The vulnerability is not listed in the CISA KEV catalog, indicating that no widely known exploit is documented, but the high severity and unauthenticated nature warrant preemptive action.

Generated by OpenCVE AI on July 2, 2026 at 20:22 UTC.

Remediation

Vendor Solution

Update the WordPress HandL UTM Grabber Plugin to the latest available version (at least 2.9.3).


OpenCVE Recommended Actions

  • Update the HandL UTM Grabber plugin to version 2.9.3 or later to eliminate the input‑validation flaw.
  • If an update cannot be performed immediately, disable or delete the plugin from the WordPress installation to remove the attack surface.
  • Maintain the WordPress core and all plugins in their latest versions to reduce exposure to similar vulnerabilities.

Generated by OpenCVE AI on July 2, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Haktansuren
Haktansuren handl Utm Grabber
Wordpress
Wordpress wordpress
Vendors & Products Haktansuren
Haktansuren handl Utm Grabber
Wordpress
Wordpress wordpress

Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in HandL UTM Grabber <= 2.9.2 versions.
Title WordPress HandL UTM Grabber plugin <= 2.9.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Haktansuren Handl Utm Grabber
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T15:53:27.892Z

Reserved: 2026-06-24T12:45:24.972Z

Link: CVE-2026-57351

cve-icon Vulnrichment

Updated: 2026-07-02T13:33:35.955Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T20:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')