InJob < 3.3.8 - Reflected & Persistent XSS

Multiple XSS vulnerabilities have been founded in the «InJob | Multi-purpose for recruitment WordPress Theme» theme v3.3.6.

Edit (WPScanTeam):
September 16th, 2019 - Envato Contacted
September 16th, 2019 - v3.3.7 released. XSS still present
October 11th, 2019 - Envato contacted again for updates
October 14th, 2019 - Envato Investigating
October 21st, 2019 - v3.3.8 released, fixing the issues.
Proof of Concept
----[]- Reflected XSS: -[]----
Use your payload inside the «Enter Keywords» input field and then submit the form — payload will be triggered twice.

Payload Sample: <!--<img src="--><img src=x onerror=(alert)(document.cookie)//">

PoC Link:

----[]- Persistent XSS #1: -[]----
You need a new basic user account, then go to the dashboard and edit your profile. Vulnerable input fields:
- «Phone» & «Headline *»;
- «Title» input field in the «Skills» section;
- «Title», «Description», «Date In - Date Out» & «Company Name» in the «Experiences» section;
- «Title», «Description» & «School Name» in the «Educations» section;
- «Address *» input field in the «Location & Map» section.
Use your payload inside any vulnerable input field and save your profile.

Payload Sample: <!--<img src="--><img src=x onerror=(alert)(document.cookie)//">

PoC: log in as candidate:demo (login/password) and go to the dashboard or as guest go to the page.

----[]- Persistent XSS #2: -[]----
You need an employer user account, then go to the page to create a new job offer. Vulnerable input fields: «Salary Postfix Text» and «Address *».

Payload Sample: <img src=x onerror=(alert)(document.domain)//">

Affects Theme

fixed in version 3.3.8




Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)


Original Researcher subversa
Submitter subversa
Views 12124
Verified Yes


Publicly Published 2019-09-16 (10 months ago)
Added 2019-10-22 (9 months ago)
Last Updated 2020-03-03 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin