CVE-2022-1707 The Google Tag Manager for WordPress plugin is vulnerable to reflected Cross-Site Scripting due to the site search populating into the data layer. This ranges from up to and including 1.15.
Google Tag Manager for WordPress is a plugin for WordPress that helps you manage your Google Analytics, AdWords, and Google Search campaigns from inside WordPress. It can also be used to import data from other services into Google Analytics and Google Search. This plugin has been reported to have a Cross-Site Scripting vulnerability via the s param in the site search form. The site search form is where a user can enter a query and get a list of related posts. The s param of this form is not properly sanitised by the plugin, which can be exploited to inject invalid HTML code into the site search results. This could be exploited by hackers to conduct Cross-Site Scripting attacks. To be notified of future vulnerabilities, update to the latest version of Google Tag Manager for WordPress.
Google Tag Manager for WordPress Cross Site Scripting Example
In WordPress, a Cross-Site Scripting vulnerability is located in Google Tag Manager for WordPress. The plugin will load the search form into your WordPress page and then call _wp_get_posts() in order to return the relevant results. If you have any malicious code on your page that you want rendered, all you need to do is append this code at the end of your query:
Timeline
Published on: 06/13/2022 13:15:00 UTC
Last modified on: 06/17/2022 23:23:00 UTC
References
- https://github.com/duracelltomi/gtm4wp/issues/224
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1707
- https://github.com/duracelltomi/gtm4wp/blob/1.15/public/frontend.php#L298
- https://github.com/duracelltomi/gtm4wp/blob/1.15/public/frontend.php#L782
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1707