Volerion logoVolerion
Volerion logoVolerion

Google Tag Manager for WordPress Reflected Cross-Site Scripting Vulnerability

Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Google Tag Manager for WordPress plugin, specifically in versions through 1.15.1. The issue arises in the frontend.php file, where the site search is inadequately sanitized before being added to the data layer. This vulnerability allows unauthenticated attackers to inject malicious scripts via the 's' parameter.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, an unauthenticated user can send a request to a site with a vulnerable version of the Google Tag Manager for WordPress plugin. The request must include the 's' parameter with a value that contains the malicious script. Once the request is processed, the injected script will be executed, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update the Google Tag Manager for WordPress plugin to version 1.15.2 or newer.

Added: May 15, 2026, 8:22 AM
Updated: May 15, 2026, 8:22 AM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
1.7
exploitability
7.2
remediation
0.0
relevance
0.0
threat
5.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.