JobMonster < 4.5.2.9 – Unauthenticated Reflected Cross-Site Scripting | CVE 2022-1170

Description

In the theme JobMonster there is a XSS vulnerability as the input for the search form is provided through unsanitized GET requests.

Note (WPScanTeam): It's unclear which exact version fixed the issue, but the lowest we were able to test and confirm remediation was 4.5.2.9.

Proof of Concept

https://example.com/resumes/?s=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(1)%3E

Affects Themes

noo-jobmonster

Fixed in 4.5.2.9

References

CVE

CVE-2022-1170

URL

https://themeforest.net/item/jobmonster-job-board-wordpress-theme/10965446

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.1 (medium)

Miscellaneous

Original Researcher

Daniel Ruf

Submitter

Daniel Ruf

Submitter website

https://daniel-ruf.de

Submitter twitter

DanielRufde

Verified

Yes

WPVDB ID

2ecb18e6-b575-4a20-bd31-94d24f1d1efc

Timeline

Publicly Published

2019-10-24 (about 6 years ago)

Added

2020-07-10 (about 5 years ago)

Last Updated

2022-04-09 (about 3 years ago)

Other

Published

Title

Published

2016-10-13

Title

Headway Theme < 3.8.9 - Authenticated Cross-Site Scripting (XSS)

Published

2023-04-19

Title

WP Cerber Security < 9.2 - Unauthenticated Stored XSS

Published

2025-11-11

Title

Easy Email Subscription < 1.3.1 - Unauthenticated Stored Cross-Site Scripting

Published

2021-08-24

Title

Recipe Card Blocks < 2.8.1 - Reflected Cross-Site Scripting

Published

2024-12-30

Title

GS Coaches < 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting