CVE-2022-1707
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-1707
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-1707.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-1707
- Published
- 2022-06-13T13:15:11.793Z
- Modified
- 2025-11-14T12:47:11.731764Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
The Google Tag Manager for WordPress plugin for WordPress is vulnerable to reflected Cross-Site Scripting via the s parameter due to the site search populating into the data layer of sites with insufficient sanitization in versions up to an including 1.15. The affected file is ~/public/frontend.php and this could be exploited by unauthenticated attackers.
- References
-
- https://github.com/duracelltomi/gtm4wp/blob/1.15/public/frontend.php#L298
- https://github.com/duracelltomi/gtm4wp/blob/1.15/public/frontend.php#L782
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0435ae14-c1fd-4611-acbe-5f3bafd4bb6a?source=cve
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1707
- https://github.com/duracelltomi/gtm4wp/issues/224
Affected packages
Git / github.com/duracelltomi/gtm4wp
Affected ranges
- Type
- GIT
- Repo
- https://github.com/duracelltomi/gtm4wp
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.10
1.10.1
1.10beta1
1.11
1.11.3
1.11.4
1.11beta1
1.11beta2
1.12
1.12.1
1.12.2
1.12beta1
1.13
1.13.1
1.14
1.14.1
1.14.2
1.14beta1
1.14beta2
1.14beta3
1.15
1.15beta1
1.15beta2
1.4.0
1.5.0
1.5.0rc
1.6.0
1.6.0rc
1.6.1
1.7
1.7.1
1.7.2
1.7beta2
1.7beta3
1.7rc1
1.7rc2
1.8
1.8.1
1.8.1beta
1.8.1beta2
1.8beta1
1.9
1.9.1
1.9.1beta
1.9.2
1.9beta1
v1.*
v1.13beta1
v1.7beta1