CVE-2022-1707

moderate-risk
Published 2022-06-13

The Google Tag Manager for WordPress plugin for WordPress is vulnerable to reflected Cross-Site Scripting via the s parameter due to the site search populating into the data layer of sites with insufficient sanitization in versions up to an including 1.15. The affected file is ~/public/frontend.php and this could be exploited by unauthenticated attackers.

Do I need to act?

!
16.2% chance of exploitation in next 30 days
EPSS score — higher than 84% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Gtm4Wp

References (10)

Product https://github.com/duracelltomi/gtm4wp/blob/1.15/public/frontend.php#L298
Product https://github.com/duracelltomi/gtm4wp/blob/1.15/public/frontend.php#L782
Issue Tracking https://github.com/duracelltomi/gtm4wp/issues/224
Third Party Advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/0435ae14-c1fd-4611-acb...
Third Party Advisory https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1707
Product https://github.com/duracelltomi/gtm4wp/blob/1.15/public/frontend.php#L298
Product https://github.com/duracelltomi/gtm4wp/blob/1.15/public/frontend.php#L782
Issue Tracking https://github.com/duracelltomi/gtm4wp/issues/224
Third Party Advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/0435ae14-c1fd-4611-acb...
Third Party Advisory https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1707
41
/ 100
moderate-risk
Severity 23/34 · High
Exploitability 13/34 · Low
Exposure 5/34 · Minimal