Medium severity5.5NVD Advisory· Published Jun 13, 2022· Updated Jun 17, 2026
CVE-2022-1961
CVE-2022-1961
Description
The Google Tag Manager for WordPress (GTM4WP) plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the gtm4wp-options[scroller-contentid] parameter found in the ~/public/frontend.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.15.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=1.15.1
Patches
Vulnerability mechanics
References
5- plugins.trac.wordpress.org/changesetnvdPatch
- gist.github.com/Xib3rR4dAr/02a21cd0ea0b7bf586131c5eebb69f1dnvdExploitThird Party Advisory
- www.wordfence.com/threat-intel/vulnerabilities/id/202c14d0-9207-47cb-9410-ca4c70d7b6d2nvdThird Party Advisory
- www.wordfence.com/vulnerability-advisories/nvdThird Party Advisory
- wordpress.org/plugins/duracelltomi-google-tag-manager/nvdProductRelease Notes
News mentions
0No linked articles in our index yet.