CVE-2022-1707: 
WordPress vulnerability analysis and mitigation

The Google Tag Manager for WordPress plugin versions below 1.15.1 were found to contain a reflected Cross-Site Scripting (XSS) vulnerability via the 's' parameter. This vulnerability was discovered and disclosed on May 19, 2022. The issue affects WordPress installations using the Google Tag Manager plugin, specifically when the search data is included in the data layer with Basic data > Search data settings enabled (WPScan).

The vulnerability occurs because the plugin does not properly sanitize and escape the 's' parameter before outputting it back in a page when search data is included in the data layer. The vulnerability has been assigned a CVSS score of 6.1 (Medium), indicating a moderate severity level. The issue is classified as CWE-79 and falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan).

If exploited, this XSS vulnerability could allow attackers to inject malicious scripts that would execute in users' browsers when they interact with the affected parameter. This could potentially lead to theft of sensitive information, session hijacking, or other client-side attacks (WPScan).

The vulnerability has been fixed in version 1.15.1 of the Google Tag Manager for WordPress plugin. Site administrators are strongly advised to update to this version or later to protect against potential exploits (WPScan).