cleantalk
Vulnerabilities and Security Researches

GTM4WP – A Google Tag Manager (GTM) plugin for WordPress, CVE-2022-1961

CVE, Research URL

CVE-2022-1961

Home page URL

Security reports for GTM4WP – A Google Tag Manager (GTM) plugin for WordPress

Application

GTM4WP – A Google Tag Manager (GTM) plugin for WordPress

Published on
Jun 13, 2022
Research Description
The Google Tag Manager for WordPress (GTM4WP) plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the `gtm4wp-options[scroller-contentid]` parameter found in the `~/public/frontend.php` file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.15.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
Affected versions
Min -, max 1.15.2.
Status
vulnerable
Previous vulnerability researches
GTM4WP – A Google Tag Manager (GTM) plugin for WordPress , Jul 24, 2024
GTM4WP – A Google Tag Manager (GTM) plugin for WordPress (CVE-2022-1961) , Jun 07, 2024
GTM4WP – A Google Tag Manager (GTM) plugin for WordPress (CVE-2022-1707) , Jun 07, 2024
New vulnerability
Calculated Fields Form (CVE-2024-13381) , May 03, 2025
KiwiChat NextClient (CVE-2025-3670) , May 03, 2025
SureTriggers – Connect All Your Plugins, Apps, Tools & Automate Everything! (CVE-2025-27007) , May 03, 2025
Taxonomy Chain Menu (CVE-2025-3748) , May 03, 2025
Able Player, accessible HTML5 media player (CVE-2025-3752) , May 02, 2025