WP-Safety

HandL UTM Grabber / Tracker Security & Risk Analysis

wordpress.org/plugins/handl-utm-grabber

The WordPress attribution plugin used by over 200,000+ sites to capture UTMs, gclid, and source data in your forms, CRM, and revenue workflows.

10K active installs v2.8.4 PHP 5.3+ WP 3.6.0+ Updated Mar 7, 2026
gclidtrackertrackingutmutm-tracking
96
A · Safe
CVEs total3
Unpatched0
Last CVENov 19, 2025
Plugin page Download
Safety Verdict

Is HandL UTM Grabber / Tracker Safe to Use in 2026?

Generally Safe

Score 96/100

HandL UTM Grabber / Tracker has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

3 known CVEsLast CVE: Nov 19, 2025Updated 2mo ago
Risk Assessment

The handl-utm-grabber plugin version 2.8.4 exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices regarding SQL queries, exclusively using prepared statements, and has a high rate of properly escaped output, indicating efforts to prevent common web vulnerabilities. The absence of critical or high-severity taint flows is also a positive sign, suggesting that sensitive data is generally handled with care.

However, there are notable areas of concern. The presence of two AJAX handlers without authentication checks represents a significant attack surface that could be exploited for unauthorized actions or information disclosure. The plugin's history of three known CVEs, with one high and two medium severity vulnerabilities, including Cross-Site Scripting and CSRF, is a red flag. While no vulnerabilities are currently unpatched, this pattern suggests a history of introducing security flaws that require remediation. The lack of nonce checks on AJAX handlers further amplifies the risk associated with the unprotected entry points.

In conclusion, while the plugin has strengths in its database interaction and output handling, the unprotected AJAX endpoints and historical vulnerability pattern warrant caution. Users should be aware of the potential for unauthorized access or actions via the unprotected AJAX endpoints, and the plugin's past security issues suggest a need for vigilance regarding future updates and potential undiscovered vulnerabilities.

Key Concerns

  • Unprotected AJAX handlers
  • High historical vulnerability count
  • 1 high severity known vulnerability
  • 2 medium severity known vulnerabilities
  • Missing nonce checks on AJAX
Vulnerabilities
3 published

HandL UTM Grabber / Tracker Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
2

3 total CVEs

CVE-2025-13073medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HandL UTM Grabber / Tracker <= 2.8.0 - Reflected Cross-Site Scripting

Nov 19, 2025 Patched in 2.8.1 (24d)
CVE-2025-13072medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HandL UTM Grabber / Tracker <= 2.8.0 - Reflected Cross-Site Scripting

Nov 19, 2025 Patched in 2.8.1 (24d)
CVE-2019-15769high · 8.8Cross-Site Request Forgery (CSRF)

HandL UTM Grabber / Tracker <= 2.6.4 - Cross-Site Request Forgery

Aug 27, 2019 Patched in 2.6.5 (1610d)
Version History

HandL UTM Grabber / Tracker Release Timeline

v2.8.4Current
v2.8.3
v2.8.2
v2.8.1
v2.82 CVEs
CVE-2025-13073 CVE-2025-13072
v2.7.322 CVEs
CVE-2025-13073 CVE-2025-13072
v2.7.312 CVEs
CVE-2025-13073 CVE-2025-13072
v2.7.302 CVEs
CVE-2025-13073 CVE-2025-13072
v2.7.292 CVEs
CVE-2025-13073 CVE-2025-13072
v2.7.282 CVEs
CVE-2025-13073 CVE-2025-13072
v2.7.272 CVEs
CVE-2025-13073 CVE-2025-13072
v2.7.262 CVEs
CVE-2025-13073 CVE-2025-13072
v2.7.252 CVEs
CVE-2025-13073 CVE-2025-13072
v2.7.242 CVEs
CVE-2025-13073 CVE-2025-13072
v2.7.232 CVEs
CVE-2025-13073 CVE-2025-13072
v2.7.222 CVEs
CVE-2025-13073 CVE-2025-13072
v2.7.212 CVEs
CVE-2025-13073 CVE-2025-13072
v2.7.202 CVEs
CVE-2025-13073 CVE-2025-13072
v2.7.192 CVEs
CVE-2025-13073 CVE-2025-13072
v2.7.182 CVEs
CVE-2025-13073 CVE-2025-13072
Code Analysis
Analyzed Mar 16, 2026

HandL UTM Grabber / Tracker Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
1 prepared
Unescaped Output
3
77 escaped
Nonce Checks
0
Capability Checks
6
File Operations
3
External Requests
1
Bundled Libraries
0

SQL Query Safety

100% prepared1 total queries

Output Escaping

96% escaped80 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

2 flows
render (lite\elementor.php:84)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

HandL UTM Grabber / Tracker Attack Surface

Entry Points4
Unprotected2

AJAX Handlers 4

authwp_ajax_handl_notice_dismisshandl-utm-grabber.php:558
authwp_ajax_handl_get_zapier_logincludes\admin\handl-options.php:93
authwp_ajax_handl_get_promosincludes\admin\promos.php:24
authwp_ajax_handl_dismiss_promoincludes\admin\promos.php:25
WordPress Hooks 33
filtergform_field_groups_form_editorgf-handl-field.php:75
actiongform_editor_js_set_default_valuesgf-handl-field.php:102
filtergform_entry_detail_meta_boxesgf-handl-field.php:117
filterwidget_texthandl-utm-grabber.php:26
actioninithandl-utm-grabber.php:28
actionwp_enqueue_scriptshandl-utm-grabber.php:121
actionadmin_enqueue_scriptshandl-utm-grabber.php:128
filtersalesforce_w2l_field_valuehandl-utm-grabber.php:133
filterwpcf7_form_elementshandl-utm-grabber.php:134
filteracf/load_value/name=urlhandl-utm-grabber.php:142
actionadmin_menuhandl-utm-grabber.php:173
actionadmin_footerhandl-utm-grabber.php:185
filterthe_contenthandl-utm-grabber.php:405
actionwoocommerce_checkout_update_order_metahandl-utm-grabber.php:456
filternav_menu_link_attributeshandl-utm-grabber.php:470
actionninja_forms_loadedhandl-utm-grabber.php:476
actionwp_dashboard_setuphandl-utm-grabber.php:596
filtersite_status_testshandl-utm-grabber.php:727
actionadmin_inithandl-utm-grabber.php:1036
actionadmin_enqueue_scriptshandl-utm-grabber.php:1038
actionadmin_initincludes\admin\handl-options.php:95
actionrest_api_initincludes\admin\handl-options.php:96
actionadmin_initincludes\admin\promos.php:26
actionadmin_noticesincludes\admin\promos.php:28
actionwp_dashboard_setupincludes\admin\promos.php:29
actionadmin_bar_menuincludes\admin\promos.php:30
actionadmin_headincludes\admin\promos.php:31
actionadmin_footerincludes\admin\promos.php:32
filterhandl_promo_menu_badgeincludes\admin\promos.php:34
actionadmin_menuincludes\admin\react-admin.php:18
actionadmin_enqueue_scriptsincludes\admin\react-admin.php:20
filterelementor_pro/forms/render/item/hiddenlite\elementor.php:5
actionelementor/dynamic_tags/register_tagslite\elementor.php:105
Maintenance & Trust

HandL UTM Grabber / Tracker Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 7, 2026
PHP min version5.3
Downloads260K

Community Trust

Rating96/100
Number of ratings142
Active installs10K
Alternatives

HandL UTM Grabber / Tracker Alternatives

UTM Leads Tracker – XLPlugins

UTM Leads Tracker – XLPlugins

utm-leads-tracker-lite

A
85

Discover which marketing campaigns are actually profitable and which are wasting your time & money. UTM Lead Tracker records the source of the lea &hellip;

500 No CVEs
Easy UTM Tracking with Contact Form 7

Easy UTM Tracking with Contact Form 7

easy-utm-tracking-with-contact-form-7

A
85

Easy UTM Tracking with Contact Form 7 is a simple plugin that lets you track UTM parameters and referrer in your Contact Form 7 lead emails with just &hellip;

2K No CVEs
UTM Event Tracker and Analytics, UTM Grabber

UTM Event Tracker and Analytics, UTM Grabber

utm-event-tracker-and-analytics

A
100

Easily capture UTM parameters, track button and link clicks, and analyze campaigns to improve your marketing ROI in WordPress.

1K No CVEs
UTM Tracker for Contact Form 7

UTM Tracker for Contact Form 7

utm-tracker-for-contact-form-7

A
100

Track UTM parameters in Contact Form 7 submissions automatically and identify which campaigns generate real leads from your marketing traffic.

200 No CVEs
Novera Smart Chat

Novera Smart Chat

novera-smart-chat

A
100

WhatsApp Floating Chat Button with Analytics, UTM Tracking, GA4 & Conversion Tools

10 No CVEs
Developer Profile

HandL UTM Grabber / Tracker Developer Profile

Haktan Suren

3 plugins · 10K total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
553 days
View full developer profile
Detection Fingerprints

How We Detect HandL UTM Grabber / Tracker

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/handl-utm-grabber/js/js.cookie.js/wp-content/plugins/handl-utm-grabber/js/handl-utm-grabber.js/wp-content/plugins/handl-utm-grabber/js/admin.js/wp-content/plugins/handl-utm-grabber/css/admin.css
Script Paths
/wp-content/plugins/handl-utm-grabber/js/js.cookie.js/wp-content/plugins/handl-utm-grabber/js/handl-utm-grabber.js/wp-content/plugins/handl-utm-grabber/js/admin.js
Version Parameters
handl-utm-grabber/js/js.cookie.js?ver=handl-utm-grabber/js/handl-utm-grabber.js?ver=handl-utm-grabber/js/admin.js?ver=handl-utm-grabber/css/admin.css?ver=

HTML / DOM Fingerprints

CSS Classes
handl-utm-apps
Data Attributes
id="handl-premium-link"
JS Globals
handl_utm
Shortcode Output
[utm_source][utm_medium][utm_term][utm_content]
FAQ

Frequently Asked Questions about HandL UTM Grabber / Tracker