Exploit for Custom Field For WP Job Manager < 1.2 - Admin+ Stored XSS CVE-2023-3328

Name: Exploit for Custom Field For WP Job Manager < 1.2 - Admin+ Stored XSS CVE-2023-3328
Rating: 5 (102 reviews)

2023-07-24 | CVSS 4.8

## https://sploitus.com/exploit?id=WPEX-ID:D8B76875-CF7F-43A9-B88B-D8AEFEFAB131
To test, you also need to have WP Job Manager installed.

When adding a new field:

1. In the plugin settings, "Add a New Field" and for the "Field Name" use `" style=animation-name:rotation onanimationstart=alert(/XSS/)//` and save.
2. Edit the field you created and see the XSS.

When editing an existing field:

1. Edit a field
2. For the "Field Name" use `" style=animation-name:rotation onanimationstart=alert(/XSS/)//` and in the "OutPut" field enter `<script>alert(1)</script>`
3. Add a new job and go through the submission process. When previewing, the plugin does not sanitize the "OutPut" string, leading to an XSS.