Themes Vulnerabilities

InJob < 3.4.1 - Authenticated Reflected Cross-Site Scripting (XSS)

Description

An Authenticated (subscriber+) Reflected XSS vulnerability was discovered in the InJob theme through 3.4.0 for WordPress.

Proof of Concept

Affects Themes

injob
Fixed in 3.4.1

References

URL
https://themeforest.net/item/injob-job-board-wordpress-theme/20322987
URL
https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-07-02-injob-multi-features-for-recruitment-wordpress-theme-v3-4-0.txt

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Vlad Vector
Submitter
VLΛD VΞCTOR
Submitter website
https://vladvector.ru
Submitter twitter
vlad_vector
Verified
Yes
WPVDB ID
2055613b-fc97-4a84-b84b-2ebdd93a2198

Timeline

Publicly Published
2020-07-10 (about 5 years ago)
Added
2020-07-10 (about 5 years ago)
Last Updated
2020-07-13 (about 5 years ago)

Other

Published
Title
Published
2024-04-29
Title
WP Shortcodes Plugin — Shortcodes Ultimate < 7.1.3 - Contributor+ Stored XSS
Published
2025-01-23
Title
Precious Metals Charts and Widgets for WordPress < 1.2.9 - Authenticated (Contributor+) Stored Cross-site Scripting
Published
2025-04-24
Title
WP Cookie Consent <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2021-09-13
Title
Affiliate Power < 2.3.0 - Reflected Cross-Site Scripting
Published
2019-05-21
Title
WP Slimstat <= 4.8 - Unauthenticated Stored XSS from Visitors