VDZ Google Analytics or Google Tag Manager / GTM < 1.4.9 – Authenticated Stored XSS | Plugin Vulnerabilities

Description

The plugin does not properly sanitise or escape some of its settings, allowing high privilege users such as admin to perform XSS attacks even when the unfiltered_html capability is disallowed

Proof of Concept

Put the following payloads in the Google Analytics ID settings of the plugin (/wp-admin/customize.php?autofocus[section]=vdz_google_analytics_section), then access the frontend the trigger the XSS

v < 1.4.8: '></script><script>alert(/XSS/)</script>
v < 1.4.9: 'onload='alert(/XSS/)

Affects Plugins

vdz-google-analytics

Fixed in 1.4.9

References

URL

https://plugins.trac.wordpress.org/changeset/2555399

URL

https://plugins.trac.wordpress.org/changeset/2558946

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Verified

Yes

WPVDB ID

23fa477d-444c-4398-a879-cacaba8ff79c

Timeline

Publicly Published

2021-08-02 (about 4 years ago)

Added

2021-08-02 (about 4 years ago)

Last Updated

2021-08-02 (about 4 years ago)

Other

Published

Title

Published

2023-11-13

Title

Simply Excerpts <= 1.4 - Admin+ Stored XSS

Published

2025-04-04

Title

SurveyJS < 1.12.57 - Contributor+ Stored XSS

Published

2024-03-29

Title

iFlyChat – WordPress Chat <= 4.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2015-11-17

Title

WooCommerce <= 2.4.8 - Authenticated Cross-Site Scripting (XSS)

Published

2025-12-05

Title

TR Timthumb <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes