VDZ Google Analytics or Google Tag Manager / GTM < 1.6.0 – Authenticated Stored XSS | Plugin Vulnerabilities

Description

The plugin does not escape its Google Analytics ID settings, allowing high privilege users such as admin to perform XSS attacks even when the unfiltered_html capability is disallowed.

The issue was introduced in v1.5.0, fixed in 1.5.4, then re-introduced in 1.5.5 and fixed in 1.6.0

Proof of Concept

Put the following payload in the Google Analytics ID settings of the plugin (/wp-admin/customize.php?autofocus[section]=vdz_google_analytics_section), then access the frontend to trigger the XSS: ');alert('XSS

Affects Plugins

vdz-google-analytics

Fixed in 1.6.0

References

URL

https://plugins.trac.wordpress.org/changeset/2573341/

URL

https://plugins.trac.wordpress.org/changeset/2576032/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

689d2ac5-38d4-4791-b35c-a0e34ef73d57

Timeline

Publicly Published

2021-08-02 (about 4 years ago)

Added

2021-08-02 (about 4 years ago)

Last Updated

2021-08-02 (about 4 years ago)

Other

Published

Title

Published

2025-01-18

Title

Sponsered Link < 6.0 - Reflected Cross-Site Scripting

Published

2025-12-15

Title

UseStrict's Calendly Embedder < 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-09-05

Title

Slider Hero < 8.4.4 - Admin+ Stored Cross-Site Scripting

Published

2025-04-28

Title

Ninja Forms < 3.10.1 - Admin+ Stored XSS

Published

2024-03-14

Title

Premium Addons for Elementor (Free < 4.10.24, Pro < 2.9.14) - Contributor+ Stored XSS