CVE-2023-5561

WordPress < 6.3.2 - Unauthenticated Post Author Email Disclosure

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack

El complemento Popup Builder de WordPress hasta la versión 4.1.15 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting almacenados incluso cuando la capacidad unfiltered_html no está permitida (por ejemplo, en una configuración multisitio).

WordPress Core is vulnerable to Sensitive Information Exposure in versions between 4.7.0 and 6.3.1 via the User REST endpoint. While the search results do not display user email addresses unless the requesting user has the 'list_users' capability, the search is applied to the user_email column. This can allow unauthenticated attackers to brute force or verify the email addresses of users with published posts or pages on the site.

*Credits: Marc Montpas, WPScan

CVSS Scores

NISTv3.1 5.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-10-12 CVE Reserved
2023-10-12 CVE Published
2023-12-13 First Exploit
2024-08-02 CVE Updated
2024-11-04 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (4)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2023/11/msg00014.html

URL	Date	SRC
https://github.com/pog007/CVE-2023-5561-PoC	2023-12-13
https://wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2	2024-08-02
https://wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441	2024-08-02

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				>= 4.7 < 4.7.27 Search vendor "Wordpress" for product "Wordpress" and version " >= 4.7 < 4.7.27"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				>= 4.8 < 4.8.23 Search vendor "Wordpress" for product "Wordpress" and version " >= 4.8 < 4.8.23"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				>= 4.9 < 4.9.24 Search vendor "Wordpress" for product "Wordpress" and version " >= 4.9 < 4.9.24"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				>= 5.0 < 5.0.20 Search vendor "Wordpress" for product "Wordpress" and version " >= 5.0 < 5.0.20"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				>= 5.1 < 5.1.17 Search vendor "Wordpress" for product "Wordpress" and version " >= 5.1 < 5.1.17"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				>= 5.2 < 5.2.19 Search vendor "Wordpress" for product "Wordpress" and version " >= 5.2 < 5.2.19"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				>= 5.3 < 5.3.16 Search vendor "Wordpress" for product "Wordpress" and version " >= 5.3 < 5.3.16"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				>= 5.4 < 5.4.14 Search vendor "Wordpress" for product "Wordpress" and version " >= 5.4 < 5.4.14"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				>= 5.5 < 5.5.13 Search vendor "Wordpress" for product "Wordpress" and version " >= 5.5 < 5.5.13"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				>= 5.6 < 5.6.12 Search vendor "Wordpress" for product "Wordpress" and version " >= 5.6 < 5.6.12"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				>= 5.7 < 5.7.10 Search vendor "Wordpress" for product "Wordpress" and version " >= 5.7 < 5.7.10"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				>= 5.8 < 5.8.8 Search vendor "Wordpress" for product "Wordpress" and version " >= 5.8 < 5.8.8"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				>= 5.9 < 5.9.8 Search vendor "Wordpress" for product "Wordpress" and version " >= 5.9 < 5.9.8"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				>= 6.0 < 6.0.6 Search vendor "Wordpress" for product "Wordpress" and version " >= 6.0 < 6.0.6"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				>= 6.1 < 6.1.4 Search vendor "Wordpress" for product "Wordpress" and version " >= 6.1 < 6.1.4"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				>= 6.2 < 6.2.3 Search vendor "Wordpress" for product "Wordpress" and version " >= 6.2 < 6.2.3"		-		Affected
Wordpress Search vendor "Wordpress"		Wordpress Search vendor "Wordpress" for product "Wordpress"				>= 6.3 < 6.3.2 Search vendor "Wordpress" for product "Wordpress" and version " >= 6.3 < 6.3.2"		-		Affected