cbcvebase.
CVE-2023-5561
published 2023-10-16

CVE-2023-5561: WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of…

PriorityP344medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
3.86%
88.9th percentile
WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack

Affected

38 ranges· showing 25
VendorProductVersion rangeFixed in
debianwordpress< wordpress 6.1.6+dfsg1-0+deb12u1 (bookworm)wordpress 6.1.6+dfsg1-0+deb12u1 (bookworm)
wordpresswordpress>= 0 < 5.7.11+dfsg1-0+deb11u15.7.11+dfsg1-0+deb11u1
wordpresswordpress>= 0 < 6.1.6+dfsg1-0+deb12u16.1.6+dfsg1-0+deb12u1
wordpresswordpress>= 0 < 6.3.2+dfsg1-16.3.2+dfsg1-1
wordpresswordpress>= 0 < 6.3.2+dfsg1-16.3.2+dfsg1-1
wordpresswordpress>= 4.7 < 4.7.274.7.27
wordpresswordpress>= 4.7.0 < 4.7.274.7.27
wordpresswordpress>= 4.8 < 4.8.234.8.23
wordpresswordpress>= 4.8.0 < 4.8.234.8.23
wordpresswordpress>= 4.9 < 4.9.244.9.24
wordpresswordpress>= 4.9.0 < 4.9.244.9.24
wordpresswordpress>= 5.0 < 5.0.205.0.20
wordpresswordpress>= 5.0.0 < 5.0.205.0.20
wordpresswordpress>= 5.1 < 5.1.175.1.17
wordpresswordpress>= 5.2 < 5.2.195.2.19
wordpresswordpress>= 5.2.0 < 5.2.195.2.19
wordpresswordpress>= 5.3 < 5.3.165.3.16
wordpresswordpress>= 5.3.0 < 5.3.165.3.16
wordpresswordpress>= 5.4 < 5.4.145.4.14
wordpresswordpress>= 5.4.0 < 5.4.145.4.14
wordpresswordpress>= 5.5 < 5.5.135.5.13
wordpresswordpress>= 5.5.0 < 5.5.135.5.13
wordpresswordpress>= 5.6 < 5.6.125.6.12
wordpresswordpress>= 5.6.0 < 5.6.125.6.12
wordpresswordpress>= 5.7 < 5.7.105.7.10

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/wp/v2/users?search=@
url/?rest_route=/wp/v2/users&search=@
  • Monitor unauthenticated GET requests to the WordPress User REST API endpoints (/wp-json/wp/v2/users or /?rest_route=/wp/v2/users) containing a 'search' parameter with email-like patterns (e.g., '@'), which is indicative of an Oracle-style email enumeration attack.
  • A successful probe returns HTTP 200 with Content-Type application/json and a body containing '[{"id' and 'name:' fields. Alert on repeated unauthenticated requests matching this response pattern against the users endpoint.
  • The vulnerability affects WordPress versions 4.7.0 through 6.3.1. Identify unpatched instances by checking the WordPress version; fixed in 6.3.2 and backported patches.
  • The search query is applied to the user_email column in the database even though email addresses are not returned in results to unauthenticated users. Repeated requests with incremental email character guesses (oracle-style) can confirm valid addresses.
  • ·The attack only exposes email addresses of users who have published public posts or pages; accounts with no public content are not enumerable via this method.
  • ·The Nuclei template uses a two-step flow: first confirming WordPress is present (via /wp-content/plugins in the body), then probing the users endpoint. Detection logic should account for both REST route variants as the template tries both in a clusterbomb attack.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
osv5.3MEDIUM
vendor_debian5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.