CSRF in Metronet Tag Manager allows anybody to do almost anything an admin can


Last revised:

The plugin’s settings page sends a nonce, and checks it when displaying the success/failure message, but is not checked when setting options.

This option is meant to contain JavaScript for Google Tag Manager, so it’s displayed on every frontend page without escaping.

As this vulnerability allows adding arbitrary JavaScript, the attacker can use it to control an admin user’s browser to do almost anything an admin user can do.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Press submit on a page containing the following HTML snippet:

<form method="POST" action="http://localhost/wp-admin/options-general.php?page=metronet-tag-manager">
 <input type="text" name="submit" value="1">
 <input type="text" name="gtm-code-head" value="&lt;script>alert(1)&lt;/script>">
 <input type="submit">

In a real attack, the form can be made to autosubmit so the victim only has to follow a link.

Advisory timeline

  • 2018-04-13: Discovered
  • 2018-04-16: Reported to plugin author via Facebook private message
  • 2018-04-17: Plugin author confirmed receipt of message
  • 2018-04-24: Plugin changelog indicates bug has been fixed inĀ 1.2.9
  • 2018-05-15: Advisory published
  • 2018-05-22: CVE requested
  • 2018-06-23: CVE assigned

Mitigation/further actions

Upgrade to version 1.2.9 or later.