CVE-2023-5561
WordPress < 6.3.2 - Unauthenticated Post Author Email Disclosure
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack
El complemento Popup Builder de WordPress hasta la versión 4.1.15 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting almacenados incluso cuando la capacidad unfiltered_html no está permitida (por ejemplo, en una configuración multisitio).
WordPress Core is vulnerable to Sensitive Information Exposure in versions between 4.7.0 and 6.3.1 via the User REST endpoint. While the search results do not display user email addresses unless the requesting user has the 'list_users' capability, the search is applied to the user_email column. This can allow unauthenticated attackers to brute force or verify the email addresses of users with published posts or pages on the site.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-10-12 CVE Reserved
- 2023-10-12 CVE Published
- 2023-12-13 First Exploit
- 2024-08-02 CVE Updated
- 2024-11-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (4)
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | >= 4.7 < 4.7.27 Search vendor "Wordpress" for product "Wordpress" and version " >= 4.7 < 4.7.27" | - |
Affected
| ||||||
Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | >= 4.8 < 4.8.23 Search vendor "Wordpress" for product "Wordpress" and version " >= 4.8 < 4.8.23" | - |
Affected
| ||||||
Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | >= 4.9 < 4.9.24 Search vendor "Wordpress" for product "Wordpress" and version " >= 4.9 < 4.9.24" | - |
Affected
| ||||||
Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | >= 5.0 < 5.0.20 Search vendor "Wordpress" for product "Wordpress" and version " >= 5.0 < 5.0.20" | - |
Affected
| ||||||
Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | >= 5.1 < 5.1.17 Search vendor "Wordpress" for product "Wordpress" and version " >= 5.1 < 5.1.17" | - |
Affected
| ||||||
Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | >= 5.2 < 5.2.19 Search vendor "Wordpress" for product "Wordpress" and version " >= 5.2 < 5.2.19" | - |
Affected
| ||||||
Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | >= 5.3 < 5.3.16 Search vendor "Wordpress" for product "Wordpress" and version " >= 5.3 < 5.3.16" | - |
Affected
| ||||||
Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | >= 5.4 < 5.4.14 Search vendor "Wordpress" for product "Wordpress" and version " >= 5.4 < 5.4.14" | - |
Affected
| ||||||
Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | >= 5.5 < 5.5.13 Search vendor "Wordpress" for product "Wordpress" and version " >= 5.5 < 5.5.13" | - |
Affected
| ||||||
Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | >= 5.6 < 5.6.12 Search vendor "Wordpress" for product "Wordpress" and version " >= 5.6 < 5.6.12" | - |
Affected
| ||||||
Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | >= 5.7 < 5.7.10 Search vendor "Wordpress" for product "Wordpress" and version " >= 5.7 < 5.7.10" | - |
Affected
| ||||||
Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | >= 5.8 < 5.8.8 Search vendor "Wordpress" for product "Wordpress" and version " >= 5.8 < 5.8.8" | - |
Affected
| ||||||
Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | >= 5.9 < 5.9.8 Search vendor "Wordpress" for product "Wordpress" and version " >= 5.9 < 5.9.8" | - |
Affected
| ||||||
Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | >= 6.0 < 6.0.6 Search vendor "Wordpress" for product "Wordpress" and version " >= 6.0 < 6.0.6" | - |
Affected
| ||||||
Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | >= 6.1 < 6.1.4 Search vendor "Wordpress" for product "Wordpress" and version " >= 6.1 < 6.1.4" | - |
Affected
| ||||||
Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | >= 6.2 < 6.2.3 Search vendor "Wordpress" for product "Wordpress" and version " >= 6.2 < 6.2.3" | - |
Affected
| ||||||
Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | >= 6.3 < 6.3.2 Search vendor "Wordpress" for product "Wordpress" and version " >= 6.3 < 6.3.2" | - |
Affected
|