Themes Vulnerabilities

JobCareer < 3.5 - Multiple Cross-Site Scripting (XSS)

Description

An Unauthenticated Reflected & Authenticated Persistent XSS vulnerabilities were discovered in the JobCareer theme through 3.4 for WordPress.

Unauthenticated Reflected XSS -> Vulnerable parameters: job_title, specialisms, location

Authenticated Persistent XSS on Employer Profile -> «Complete Address» text field

Proof of Concept

Affects Themes

jobcareer
Fixed in 3.5

References

URL
https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Vlad Vector
Submitter
VLΛD VΞCTOR
Submitter website
https://vladvector.ru
Submitter twitter
vlad_vector
Verified
Yes
WPVDB ID
8a8d2fd6-9e95-420f-9e9d-f82d78f47cd7

Timeline

Publicly Published
2020-07-31 (about 5 years ago)
Added
2020-07-31 (about 5 years ago)
Last Updated
2020-08-06 (about 5 years ago)

Other

Published
Title
Published
2025-03-01
Title
WP Posts Carousel < 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via auto_play_timeout Parameter
Published
2021-10-14
Title
Job Board Vanila <= 1.0 - Admin+ Stored Cross-Site Scripting
Published
2024-07-08
Title
Email Encoder < 2.2.2 - Admin+ Stored XSS
Published
2014-08-01
Title
Schreikasten 0.14.13 - wp-admin/admin-ajax.php Multiple Parameter XSS
Published
2025-01-07
Title
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates < 5.1.1 - Authenticated (Admin+) Stored Cross-Site Scripting