The hoyce Universal Analytics Injector product up to version 1.0.3 is affected by a CSRF vulnerability that can lead to stored XSS attacks. This vulnerability enables an attacker to trick an authenticated user into submitting unauthorized requests, which can result in malicious script injection stored within the application. The CVSS 3.1 vector indicates the attack can be performed remotely without privileges but requires user interaction. The impact includes partial confidentiality, integrity, and availability loss.

Successful exploitation can lead to stored XSS, allowing attackers to execute arbitrary scripts in the context of the affected application. This can compromise user data confidentiality and integrity and potentially disrupt availability. The vulnerability requires user interaction and can be exploited remotely without authentication privileges.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider implementing CSRF protections such as anti-CSRF tokens and validating request origins. Monitoring for unusual activity related to stored XSS may also help detect exploitation attempts.