JobCareer | Job Board Responsive WordPress Theme v2.5 Stored XSS Injection

2019.04.22
ru QUIXSS (RU) ru
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

[+] :: Title: JobCareer | Job Board Responsive WordPress Theme v2.5 Stored XSS Injection [+] :: Author: QUIXSS [+] :: Date: 2019-04-22 [+] :: Software: JobCareer | Job Board Responsive WordPress Theme v2.5 [?] :: Technical Details & Description: # Weak security measures like bad input fields data filtering has been discovered in the «JobCareer | Job Board Responsive WordPress Theme». Current version of this WordPress premium theme is 2.5. [?] :: Demo Website: # https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636 # Frontend: http://jobcareer.chimpgroup.com/ [!] :: Special Note: # 6.026 Sales [!] :: PoC Injection: # http://jobcareer.chimpgroup.com/candidate/asdasdasdasdasd/ [+] :: PoC [Stored XSS Injection]: # Register a new account on the demo website: http://jobcareer.chimpgroup.com/ (no email validation plus auto redirect after u submit the registration form). Then go to the «Resume» profile tab: http://jobcareer.chimpgroup.com/candidate-dashboard/?profile_tab=resume # Some ot input fields are vulnerable for Stored XSS Injections due to bad XSS filtering. Press the «+ Add new» link and use your payload only in the text editor area and only in the «Source» view (</> icon). # Sample payload to bypass XSS filter: <h1>QUIXSS</h1>"><script>alert('QUIXSS')</script>"><img src="x" onerror="alert('QUIXSS');">

References:

https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top