WordPress Plugin Vulnerabilities

Google Tag Manager for WordPress < 1.15.1 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape the s parameter before outputting it back in a page when the search data is included in the data layer (related settings is Basic data > Search data)

Affects Plugins

Plugin icon
duracelltomi-google-tag-manager
Fixed in 1.15.1

References

CVE
CVE-2022-1707

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Cory Buecker, not_stoppable
Verified
Yes
WPVDB ID
b5384be3-91c0-45e8-ae03-0188be12bc09

Timeline

Publicly Published
2022-05-19 (about 3 years ago)
Added
2022-05-19 (about 3 years ago)
Last Updated
2023-02-13 (about 3 years ago)

Other

Published
Title
Published
2025-02-03
Title
Smart Countdown FX <= 1.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-04-30
Title
Pliska < 0.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Author Display Name
Published
2025-01-16
Title
Easy School Registration <= 3.9.8 - Reflected Cross-Site Scripting
Published
2025-01-14
Title
Brizy Pro <= 2.6.1 - Reflected Cross-Site Scripting
Published
2023-09-21
Title
Magee Shortcodes <= 2.1.1 - Contributor+ Stored XSS via shortcode