Impact
Unauthenticated Cross‑Site Scripting (XSS) vulnerabilities allow an attacker to inject arbitrary client‑side scripts into a WordPress site by exploiting insufficient input validation in the HandL UTM Grabber plugin. The flaw resides in the plugin’s input handling and is present in all releases up to and including version 2.9.2. An attacker can trigger script execution simply by accessing the plugin’s interface without needing to be logged in, potentially leading to theft of credentials, session hijacking, defacement, or phishing attacks on site visitors, which compromises confidentiality and integrity for users.
Affected Systems
WordPress installations that run the HandL UTM Grabber plugin by Haktan Suren on version 2.9.2 or any earlier release are affected. The problematic code resides in the plugin’s input handling, and the vulnerability is present in all releases up to and including 2.9.2.
Risk and Exploitability
The CVSS score of 7.1 reflects a high‑severity flaw. The EPSS score is not available, so the likelihood of exploitation remains uncertain; however, the lack of an authentication requirement means an attacker can access the vulnerable endpoint simply by hitting the plugin’s URL. The vulnerability is not listed in the CISA KEV catalog, indicating that no widely known exploit is documented, but the high severity and unauthenticated nature warrant preemptive action.
OpenCVE Enrichment