CVE-2022-1707
published 2022-06-13CVE-2022-1707: The Google Tag Manager for WordPress plugin for WordPress is vulnerable to reflected Cross-Site Scripting via the s parameter due to the site search populating…
PriorityP345medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
88.91%
99.8th percentile
The Google Tag Manager for WordPress plugin for WordPress is vulnerable to reflected Cross-Site Scripting via the s parameter due to the site search populating into the data layer of sites with insufficient sanitization in versions up to an including 1.15. The affected file is ~/public/frontend.php and this could be exploited by unauthenticated attackers.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| duracelltomi | gtm4wp_a_google_tag_manager_plugin_for_wordpress | <= 1.15 | — |
| gtm4wp | google_tag_manager | < 1.15.1 | 1.15.1 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/duracelltomi/gtm4wp/blob/1.15/public/frontend.php#L298https://github.com/duracelltomi/gtm4wp/blob/1.15/public/frontend.php#L782https://github.com/duracelltomi/gtm4wp/issues/224https://www.wordfence.com/threat-intel/vulnerabilities/id/0435ae14-c1fd-4611-acbe-5f3bafd4bb6a?source=cvehttps://www.wordfence.com/vulnerability-advisories/#CVE-2022-1707https://github.com/duracelltomi/gtm4wp/blob/1.15/public/frontend.php#L298https://github.com/duracelltomi/gtm4wp/blob/1.15/public/frontend.php#L782https://github.com/duracelltomi/gtm4wp/issues/224https://www.wordfence.com/threat-intel/vulnerabilities/id/0435ae14-c1fd-4611-acbe-5f3bafd4bb6a?source=cvehttps://www.wordfence.com/vulnerability-advisories/#CVE-2022-1707
2022-06-13
Published