Does GTM+ WordPress have any unpatched vulnerabilities?

No. All known vulnerabilities in GTM+ WordPress have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is GTM+ WordPress compatible with WordPress 5.3.21?

According to WordPress.org data, GTM+ WordPress 1.0.1 has been tested up to WordPress 5.3.21. Check the plugin's changelog for the latest compatibility information.

Is GTM+ WordPress compatible with PHP 5.4+?

GTM+ WordPress requires PHP 5.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is GTM+ WordPress updated?

GTM+ WordPress was last updated on Aug 1, 2019. Frequent updates are generally a positive security signal.

What is GTM+ WordPress's security score?

GTM+ WordPress has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

GTM+ WordPress Security & Risk Analysis

wordpress.org/plugins/gtmpluswp

This plugin easily places the Google Tag Manager container code onto your WordPress website, so you do not have to worry about a manual installation.

40 active installs v1.0.1 PHP 5.4+ WP 4.3.0+ Updated Aug 1, 2019

google-tag-managergtmtag-containertag-management

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is GTM+ WordPress Safe to Use in 2026?

Generally Safe

Score 85/100

GTM+ WordPress has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 6yr ago

Risk Assessment

The gtmpluswp plugin, version 1.0.1, exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and avoiding external HTTP requests. The absence of known vulnerabilities in its history is also a strong indicator of stable development. However, significant concerns arise from its attack surface and code analysis. The plugin exposes one REST API route without any permission callbacks, creating a direct entry point for potential unauthorized actions. Furthermore, the taint analysis reveals three flows with unsanitized paths, although these are not categorized as critical or high severity. This indicates a potential for unintended data handling if these paths are triggered with malicious input, even if the immediate impact is not severe. The lack of nonce checks and capability checks on the identified entry points exacerbates these risks, as there are no built-in mechanisms to verify user intent or authorization before processing requests.

Key Concerns

Unprotected REST API route
Flows with unsanitized paths
No capability checks
Output escaping not fully implemented

Vulnerabilities

None known

GTM+ WordPress Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

GTM+ WordPress Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

27 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Guzzle

Output Escaping

68% escaped40 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths

input_id (gtm4wordpress.php:222)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

GTM+ WordPress Attack Surface

Entry Points1

Unprotected1

REST API Routes 1

POST/wp-json/gtm4wp/account_data/gtm4wordpress.php:192

WordPress Hooks 8

actionadmin_initgtm4wordpress.php:30

actionrest_api_initgtm4wordpress.php:191

actionadmin_footergtm4wordpress.php:257

actionadmin_menugtm4wordpress.php:322

actionadmin_noticesgtm4wordpress.php:345

actionadmin_noticesgtm4wordpress.php:394

actionwp_headgtm4wordpress.php:456

actionwp_footergtm4wordpress.php:549

Maintenance & Trust

GTM+ WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested5.3.21

Last updatedAug 1, 2019

PHP min version5.4

Downloads2K

Community Trust

Rating0/100

Number of ratings0

Active installs40

Alternatives

GTM+ WordPress Alternatives

GTM4WP – A Google Tag Manager (GTM) plugin for WordPress

duracelltomi-google-tag-manager

Advanced tag management for WordPress with Google Tag Manager

700K 3 CVEs

GTM Kit – Google Tag Manager & GA4 integration

gtm-kit

Google Tag Manager and GA4 integration. Including WooCommerce data for Google Analytics 4 and support for server side GTM.

30K 1 CVE

Stape Conversion Tracking

gtm-server-side

Google Tag Manager Server Side Integration Made Easy

10K 2 CVEs

Google Analytics and Google Tag Manager

wk-google-analytics

Google Analytics or Google Tag Manager for WordPress without tracking your own visits.

10K No CVEs

WP Global Site Tag

wp-global-site-tag

100

Global Site Tag (gtag.js) is a new Google Analytics replacement – giving you better control while making implementation easier. Using gtag.

8K No CVEs

Developer Profile

GTM+ WordPress Developer Profile

Mark-k

7 plugins · 2K total installs

trust score

Avg Security Score

87/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect GTM+ WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Version Parameters

gtm4wordpress/gtm4wordpress.php?ver=

HTML / DOM Fingerprints

Data Attributes

name="gtm4wordpress[layer_type]"name="gtm4wordpress[layer_categories]"name="gtm4wordpress[layer_tags]"name="gtm4wordpress[layer_author_id]"name="gtm4wordpress[layer_author_name]"name="gtm4wordpress[layer_date]"+4 more

JS Globals

window.gtm4wordpress

REST Endpoints

/wp-json/gtm4wp/account_data/

FAQ