[+] :: Title: JobCareer | Job Board Responsive WordPress Theme v2.5 Stored XSS Injection
[+] :: Author: QUIXSS
[+] :: Date: 2019-04-22
[+] :: Software: JobCareer | Job Board Responsive WordPress Theme v2.5
[?] :: Technical Details & Description:
# Weak security measures like bad input fields data filtering has been discovered in the «JobCareer | Job Board Responsive WordPress Theme». Current version of this WordPress premium theme is 2.5.
[?] :: Demo Website:
# Frontend: http://jobcareer.chimpgroup.com/
[!] :: Special Note:
# 6.026 Sales
[!] :: PoC Injection:
[+] :: PoC [Stored XSS Injection]:
# Register a new account on the demo website: http://jobcareer.chimpgroup.com/ (no email validation plus auto redirect after u submit the registration form). Then go to the «Resume» profile tab: http://jobcareer.chimpgroup.com/candidate-dashboard/?profile_tab=resume
# Some ot input fields are vulnerable for Stored XSS Injections due to bad XSS filtering. Press the «+ Add new» link and use your payload only in the text editor area and only in the «Source» view (</> icon).
# Sample payload to bypass XSS filter: <h1>QUIXSS</h1>"><script>alert('QUIXSS')</script>"><img src="x" onerror="alert('QUIXSS');">