CVE-2022-1961

Name of the Vulnerable Software and Affected Versions Google Tag Manager for WordPress (GTM4WP) versions up to and including 1.15.1

Description The issue is related to Stored Cross-Site Scripting due to insufficient escaping via the gtm4wp-options[scroller-contentid] parameter found in the ~/public/frontend.php file. This allows attackers with administrative user access to inject arbitrary web scripts. The issue affects multi-site installations where unfiltered html is disabled for administrators, and sites where unfiltered html is disabled.

Recommendations For versions up to and including 1.15.1, update to a version higher than 1.15.1 to resolve the issue. As a temporary workaround, consider restricting access to the gtm4wp-options[scroller-contentid] parameter to minimize the risk of exploitation. Restrict administrative user access to trusted users only. Enable unfiltered html for administrators if possible, to reduce the risk of Stored Cross-Site Scripting.