WordPress Plugin Vulnerabilities

GTM4WP < 1.15.2 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not properly escape the Content Element ID settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when unfiltered_html is disallowed (for example multisite setups)

Affects Plugins

Plugin icon
duracelltomi-google-tag-manager
Fixed in 1.15.2

References

CVE
CVE-2022-1961

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Muhammad Zeeshan (Xib3rR4dAr)
Verified
Yes
WPVDB ID
78f097ff-ac14-4d30-a80f-29709f7d1f69

Timeline

Publicly Published
2022-05-31 (about 3 years ago)
Added
2022-05-31 (about 3 years ago)
Last Updated
2023-02-28 (about 3 years ago)

Other

Published
Title
Published
2022-01-03
Title
Visual CSS Style Editor < 7.5.4 - Reflected Cross-Site Scripting
Published
2024-08-19
Title
WP Last Modified Info < 1.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via lmt-post-modified-info Shortcode
Published
2024-05-07
Title
Counter Up – Animated Number Counter & Milestone Showcase < 2.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-10-06
Title
Betheme < 28.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-11-09
Title
Car Rental by BestWebSoft <= 1.1.2 - Admin+ Stored XSS