{"id":"CVE-2022-1707","details":"The Google Tag Manager for WordPress plugin for WordPress is vulnerable to reflected Cross-Site Scripting via the s parameter due to the site search populating into the data layer of sites with insufficient sanitization in versions up to an including 1.15. The affected file is ~/public/frontend.php and this could be exploited by unauthenticated attackers.","modified":"2026-03-15T14:46:00.707070Z","published":"2022-06-13T13:15:11.793Z","references":[{"type":"WEB","url":"https://github.com/duracelltomi/gtm4wp/blob/1.15/public/frontend.php#L298"},{"type":"WEB","url":"https://github.com/duracelltomi/gtm4wp/blob/1.15/public/frontend.php#L782"},{"type":"ADVISORY","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/0435ae14-c1fd-4611-acbe-5f3bafd4bb6a?source=cve"},{"type":"ADVISORY","url":"https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1707"},{"type":"REPORT","url":"https://github.com/duracelltomi/gtm4wp/issues/224"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/duracelltomi/gtm4wp","events":[{"introduced":"0"},{"fixed":"de15527c94af603cc6646b2ef9a36e2519401a37"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.15.1"}]}}],"versions":["1.10","1.10.1","1.10beta1","1.11","1.11.3","1.11.4","1.11beta1","1.11beta2","1.12","1.12.1","1.12.2","1.12beta1","1.13","1.13.1","1.14","1.14.1","1.14.2","1.14beta1","1.14beta2","1.14beta3","1.15","1.15beta1","1.15beta2","1.4.0","1.5.0","1.5.0rc","1.6.0","1.6.0rc","1.6.1","1.7","1.7.1","1.7.2","1.7beta2","1.7beta3","1.7rc1","1.7rc2","1.8","1.8.1","1.8.1beta","1.8.1beta2","1.8beta1","1.9","1.9.1","1.9.1beta","1.9.2","1.9beta1","v1.13beta1","v1.7beta1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-1707.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}