Does GTM4WP – A Google Tag Manager (GTM) plugin for WordPress have any unpatched vulnerabilities?

No. All known vulnerabilities in GTM4WP – A Google Tag Manager (GTM) plugin for WordPress have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is GTM4WP – A Google Tag Manager (GTM) plugin for WordPress compatible with WordPress 6.9.4?

According to WordPress.org data, GTM4WP – A Google Tag Manager (GTM) plugin for WordPress 1.22.3 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is GTM4WP – A Google Tag Manager (GTM) plugin for WordPress compatible with PHP 7.4+?

GTM4WP – A Google Tag Manager (GTM) plugin for WordPress requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

What is GTM4WP – A Google Tag Manager (GTM) plugin for WordPress's security score?

GTM4WP – A Google Tag Manager (GTM) plugin for WordPress has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

GTM4WP – A Google Tag Manager (GTM) plugin for WordPress Security & Risk Analysis

wordpress.org/plugins/duracelltomi-google-tag-manager

Advanced tag management for WordPress with Google Tag Manager

700K active installs v1.22.3 PHP 7.4+ WP 3.4.0+ Updated Dec 15, 2025

google-adsgoogle-analyticsgoogle-tag-managergtmtag-manager

A · Safe

CVEs total3

Unpatched0

Last CVEMay 31, 2022

Plugin page Download

Safety Verdict

Is GTM4WP – A Google Tag Manager (GTM) plugin for WordPress Safe to Use in 2026?

Generally Safe

Score 98/100

GTM4WP – A Google Tag Manager (GTM) plugin for WordPress has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: May 31, 2022Updated 3mo ago

Risk Assessment

The duracelltomi-google-tag-manager plugin, version 1.22.3, exhibits a mixed security posture. On the positive side, the static analysis reveals a relatively small attack surface with only one AJAX handler and no REST API routes, shortcodes, or cron events. Crucially, the single entry point appears to have an authentication check, and there are no detected critical or high severity taint flows, indicating that sensitive data handling is likely robust in the current version. Furthermore, a high percentage of output is properly escaped, mitigating some Cross-Site Scripting (XSS) risks.

However, significant concerns arise from the plugin's vulnerability history. It has a total of three known CVEs, with one high and two medium severity vulnerabilities previously identified, primarily related to Cross-Site Scripting. The fact that there have been multiple historical vulnerabilities of this nature, even if currently patched, suggests a recurring pattern of input sanitization or output escaping deficiencies. The static analysis also shows 2% of SQL queries are not using prepared statements, which can lead to SQL injection vulnerabilities if not properly handled, and a lack of comprehensive capability checks is also noted. The plugin's history of XSS vulnerabilities, coupled with the presence of raw SQL queries and the lack of capability checks, suggests that while current taint analysis might be clean, past issues point to potential weaknesses that could resurface or be exploited in future versions or through different attack vectors.

In conclusion, while the immediate static analysis of version 1.22.3 shows some good security practices like limited attack surface and good output escaping, the plugin's historical vulnerability profile, particularly concerning XSS, and the presence of raw SQL queries are significant weaknesses. Users should remain vigilant and prioritize updating to newer versions as they become available, while developers should focus on addressing the historical patterns of input validation and output escaping flaws.

Key Concerns

Raw SQL queries without prepared statements
Vulnerability history: 1 High severity CVE
Vulnerability history: 2 Medium severity CVEs
No capability checks on entry points

Vulnerabilities

GTM4WP – A Google Tag Manager (GTM) plugin for WordPress Security Vulnerabilities

CVEs by Year

3 CVEs in 2022

2022

Patched Has unpatched

Severity Breakdown

High

Medium

3 total CVEs

CVE-2022-1961medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Google Tag Manager for WordPress (GTM4WP) <= 1.15.1 - Stored Cross-Site Scripting via Content Element ID

May 31, 2022 Patched in 1.15.2 (602d)

CVE-2022-1707medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Google Tag Manager for WordPress <= 1.15 - Reflected Cross-Site Scripting via Site Search

May 19, 2022 Patched in 1.15.1 (614d)

WF-79a41b84-2e19-46eb-9f6b-5155da0b15cc-duracelltomi-google-tag-managerhigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Google Tag Manager for WordPress <= 1.15 - Cross-Site Scripting via Cloudflare Country Code

May 12, 2022 Patched in 1.15.1 (621d)

Code Analysis

Analyzed Mar 16, 2026

GTM4WP – A Google Tag Manager (GTM) plugin for WordPress Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

204 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

0% prepared2 total queries

Output Escaping

82% escaped250 total outputs

Data Flows

All sanitized

Data Flow Analysis

1 flows

<woocommerce> (integration\woocommerce.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

GTM4WP – A Google Tag Manager (GTM) plugin for WordPress Attack Surface

Entry Points1

Unprotected0

AJAX Handlers 1

authwp_ajax_gtm4wp_dismiss_noticeadmin\admin.php:1386

WordPress Hooks 58

actionadmin_initadmin\admin.php:1380

actionadmin_menuadmin\admin.php:1381

actionadmin_enqueue_scriptsadmin\admin.php:1382

actionadmin_noticesadmin\admin.php:1383

actionadmin_headadmin\admin.php:1384

filterplugin_action_linksadmin\admin.php:1385

actionin_plugin_update_message-duracelltomi-google-tag-manager-for-wordpress/duracelltomi-google-tag-manager-for-wordpress.phpadmin\admin.php:1387

actioninitduracelltomi-google-tag-manager-for-wordpress.php:47

actionplugins_loadedduracelltomi-google-tag-manager-for-wordpress.php:63

actionbefore_woocommerce_initduracelltomi-google-tag-manager-for-wordpress.php:78

actionamp_post_template_headintegration\amp.php:63

actionamp_post_template_dataintegration\amp.php:157

actionamp_post_template_headintegration\amp.php:160

actionamp_post_template_headintegration\amp.php:161

actionamp_post_template_body_openintegration\amp.php:165

actionamp_post_template_footerintegration\amp.php:167

filterloop_endintegration\woocommerce.php:1503

actionwoocommerce_after_shop_loop_itemintegration\woocommerce.php:1504

actionwoocommerce_after_add_to_cart_buttonintegration\woocommerce.php:1505

actionwp_enqueue_scriptsintegration\woocommerce.php:1507

filterwoocommerce_blocks_product_grid_item_htmlintegration\woocommerce.php:1510

actionwoocommerce_thankyouintegration\woocommerce.php:1512

actionwoocommerce_before_template_partintegration\woocommerce.php:1515

actionwoocommerce_after_template_partintegration\woocommerce.php:1516

filterwidget_titleintegration\woocommerce.php:1517

actionwc_quick_view_before_single_productintegration\woocommerce.php:1518

filterwoocommerce_grouped_product_list_column_labelintegration\woocommerce.php:1519

filterwoocommerce_cart_item_productintegration\woocommerce.php:1521

filterwoocommerce_cart_item_remove_linkintegration\woocommerce.php:1522

actionwoocommerce_cart_item_restoredintegration\woocommerce.php:1523

filterwoocommerce_related_products_argsintegration\woocommerce.php:1525

filterwoocommerce_related_products_columnsintegration\woocommerce.php:1526

filterwoocommerce_cross_sells_columnsintegration\woocommerce.php:1527

filterwoocommerce_upsells_columnsintegration\woocommerce.php:1528

actionwoocommerce_shortcode_before_recent_products_loopintegration\woocommerce.php:1530

actionwoocommerce_shortcode_before_sale_products_loopintegration\woocommerce.php:1531

actionwoocommerce_shortcode_before_best_selling_products_loopintegration\woocommerce.php:1532

actionwoocommerce_shortcode_before_top_rated_products_loopintegration\woocommerce.php:1533

actionwoocommerce_shortcode_before_featured_products_loopintegration\woocommerce.php:1534

actionwoocommerce_shortcode_before_related_products_loopintegration\woocommerce.php:1535

filteroembed_resultintegration\youtube.php:33

filtersafe_style_csspublic\frontend.php:791

actionwp_enqueue_scriptspublic\frontend.php:1438

actionwp_headpublic\frontend.php:1443

actionwp_headpublic\frontend.php:1444

actionwp_footerpublic\frontend.php:1445

actionwp_loadedpublic\frontend.php:1446

actioninitpublic\frontend.php:1448

actionbody_openpublic\frontend.php:1451

actiongenesis_beforepublic\frontend.php:1454

actiongenerate_before_headerpublic\frontend.php:1455

actionelementor/page_templates/canvas/before_contentpublic\frontend.php:1456

actionct_before_builderpublic\frontend.php:1457

actionfl_before_builderpublic\frontend.php:1458

actionwp_body_openpublic\frontend.php:1461

filterrocket_excluded_inline_js_contentpublic\frontend.php:1463

actionwp_loginpublic\frontend.php:1476

actionuser_registerpublic\frontend.php:1480

Maintenance & Trust

GTM4WP – A Google Tag Manager (GTM) plugin for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 15, 2025

PHP min version7.4

Downloads13.9M

Community Trust

Rating90/100

Number of ratings154

Active installs700K

Alternatives

GTM4WP – A Google Tag Manager (GTM) plugin for WordPress Alternatives

Sugoi Tag Inserter: GTM & gtag.js Made Easy

sugoi-tag-inserter

・2 step installation of GTM / gtag.js Plugin to make Google Tag Manager (GTM) & gtag.js(Google Ads / Google Analytics).

20 No CVEs

Google Analytics and Google Tag Manager

wk-google-analytics

Google Analytics or Google Tag Manager for WordPress without tracking your own visits.

10K No CVEs

WP Global Site Tag

wp-global-site-tag

100

Global Site Tag (gtag.js) is a new Google Analytics replacement – giving you better control while making implementation easier. Using gtag.

8K No CVEs

DeMomentSomTres WP Admin GTM

demomentsomtres-wp-admin-gtm

DeMomentSomTres Google Tag Manager for WP-Admin allows to extend DuracellTomi's Google Tag Manager into WP administration.

100 No CVEs

PixelYourSite – Your smart PIXEL (TAG) & API Manager

pixelyoursite

Add Meta Pixel with Conversion API, Google Analytics (GA4) + Consent Mode, Google Tag Manager, and Head & Footer scripts.

500K 11 CVEs

Developer Profile

GTM4WP – A Google Tag Manager (GTM) plugin for WordPress Developer Profile

Thomas Geiger

1 plugin · 700K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

612 days

View full developer profile

Detection Fingerprints

How We Detect GTM4WP – A Google Tag Manager (GTM) plugin for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/duracelltomi-google-tag-manager/dist/js/gtm4wp-frontend.js/wp-content/plugins/duracelltomi-google-tag-manager/dist/js/gtm4wp-gtm-autodetect.js/wp-content/plugins/duracelltomi-google-tag-manager/dist/js/gtm4wp-admin.js/wp-content/plugins/duracelltomi-google-tag-manager/dist/css/gtm4wp-admin.css

Script Paths

/wp-content/plugins/duracelltomi-google-tag-manager/dist/js/gtm4wp-frontend.js/wp-content/plugins/duracelltomi-google-tag-manager/dist/js/gtm4wp-gtm-autodetect.js

Version Parameters

duracelltomi-google-tag-manager/dist/js/gtm4wp-frontend.js?ver=duracelltomi-google-tag-manager/dist/js/gtm4wp-gtm-autodetect.js?ver=duracelltomi-google-tag-manager/dist/js/gtm4wp-admin.js?ver=duracelltomi-google-tag-manager/dist/css/gtm4wp-admin.css?ver=

HTML / DOM Fingerprints

CSS Classes

gtm4wp-inline-scriptgtm4wp-gtm-container

HTML Comments

Data Attributes

data-gtm4wp-id

JS Globals

gtm4wp_datasgtm4wp_frontend

FAQ