CVE-2022-1961

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-1961

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-1961.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-1961

Published

2022-06-13T14:15:08.843Z

Modified

2025-11-14T12:47:48.848974Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

The Google Tag Manager for WordPress (GTM4WP) plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the gtm4wp-options[scroller-contentid] parameter found in the ~/public/frontend.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.15.1. This affects multi-site installations where unfilteredhtml is disabled for administrators, and sites where unfilteredhtml is disabled.

References

Affected packages

Git / github.com/duracelltomi/gtm4wp

Affected ranges

Type: GIT
Repo: https://github.com/duracelltomi/gtm4wp
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b381cdecc08b91a0f487ca94a111d8982f06e334

Affected versions

1.*

1.10

1.10.1

1.10beta1

1.11

1.11.3

1.11.4

1.11beta1

1.11beta2

1.12

1.12.1

1.12.2

1.12beta1

1.13

1.13.1

1.14

1.14.1

1.14.2

1.14beta1

1.14beta2

1.14beta3

1.15

1.15.1

1.15beta1

1.15beta2

1.4.0

1.5.0

1.5.0rc

1.6.0

1.6.0rc

1.6.1

1.7

1.7.1

1.7.2

1.7beta2

1.7beta3

1.7rc1

1.7rc2

1.8

1.8.1

1.8.1beta

1.8.1beta2

1.8beta1

1.9

1.9.1

1.9.1beta

1.9.2

1.9beta1

v1.*

v1.13beta1

v1.7beta1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-1961.json"