Themes Vulnerabilities

Careerfy < 4.3.0 - Unauthenticated Reflected Cross-Site Scripting

Description

An Unauthenticated Reflected XSS vulnerability was discovered in the Careerfy Job Board theme v4.2.0 for WordPress.

Proof of Concept

Affects Themes

careerfy
Fixed in 4.3.0

References

URL
https://themeforest.net/item/careerfy-job-board-wordpress-theme/21137053
URL
https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-07-15-careerfy-job-board-wordpress-theme-v4-2-0.txt

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Vlad Vector
Submitter
VLΛD VΞCTOR
Submitter website
https://vladvector.ru
Submitter twitter
vlad_vector
Verified
Yes
WPVDB ID
e09f0df7-4736-4c71-9727-9c796796a72a

Timeline

Publicly Published
2020-07-18 (about 5 years ago)
Added
2020-07-18 (about 5 years ago)
Last Updated
2020-07-21 (about 5 years ago)

Other

Published
Title
Published
2014-08-01
Title
Zingiri Forum 1.4.2 - forum.php zing_forum_output Function url Parameter XSS
Published
2025-02-03
Title
Easy WP Tiles <= 1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2020-08-17
Title
Responsive Lightbox2 < 1.0.3 - Authenticated Stored Cross-Site Scripting
Published
2025-06-27
Title
WP Visual Sitemap <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-05-07
Title
Really Simple Under Construction Page <= 1.4.6 - Authenticated (Administrator+) Stored Cross-Site Scripting