Themes Vulnerabilities

Workup – Job Board < 2.1.6 - Unauthenticated Reflected XSS

Description

Unauthenticated Reflected XSS vulnerability was discovered in the «Workup – Job Board WordPress Theme», tested version — v2.1.5.

Proof of Concept

https://apusthemes.com/wp-demo/workup/jobs/?filter-title=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28`XSS`%29%3E&filter-center-location=%22%3E%3Cimg%20src=x%20onerror=alert(`XSS2`)%3E

Affects Themes

workup
Fixed in 2.1.6

References

URL
https://themeforest.net/item/workup-job-board-wordpress-theme/24261784
URL
https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-06-17-workup-job-board-wordpress-theme-v2-1-5.txt

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Vlad Vector
Submitter
VLΛD VΞCTOR
Submitter website
https://vladvector.ru
Submitter twitter
vlad_vector
Verified
No
WPVDB ID
863fd2c3-c37d-4c80-990c-dbe2d3d6db05

Timeline

Publicly Published
2020-07-13 (about 3 years ago)
Added
2020-07-13 (about 3 years ago)
Last Updated
2020-07-15 (about 3 years ago)

Other

Published
Title
Published
2022-01-31
Title
Superforms < 6.0.4 - Reflected Cross-Site Scripting
Published
2023-10-11
Title
Copy Or Move Comments <= 5.0.4 - Reflected XSS
Published
2023-06-26
Title
Floating Chat Widget < 3.1.2 - Admin+ Stored Cross-Site Scripting
Published
2022-09-23
Title
Popup Maker < 1.16.9 - Contributor+ Stored XSS via Shortcode
Published
2022-10-28
Title
Slideshow SE < 2.5.6 - Subscriber+ Stored XSS