Metronet Tag Manager 1.2.7-Cross Site Request Forgery

Summary

WordPress is a blogging platform developed using the PHP language. Users can set up their own websites on servers that support PHP and MySQL databases. WordPress is a personal blog system, and gradually evolved into a content management system software, which is developed using PHP language and MySQL database. Users can use their own blogs on servers that support PHP and MySQL databases.
Integrate Google Tag Manager into your website. Use dataLayer variables on a per-post and per-page basis. Use variables for flexibility.
The pluginas settings page sends a nonce, and checks it when displaying the success/failure message, but is not checked when setting options.This option is meant to contain JavaScript for Google Tag Manager, so itas displayed on every frontend page without escaping.As this vulnerability allows adding arbitrary JavaScript, the attacker can use it to control an admin useras browser to do almost anything an admin user can do.

Solution

The current vendor has fixed the vulnerability in Metronet Tag Manager version 1.2.9, please use this plug-in user update program to the latest version:
https://wordpress.org/plugins/metronet-tag-manager/