CVE-2023-5561
published 2023-10-16CVE-2023-5561: WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of…
PriorityP344medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
3.86%
88.9th percentile
WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack
Affected
38 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wordpress | < wordpress 6.1.6+dfsg1-0+deb12u1 (bookworm) | wordpress 6.1.6+dfsg1-0+deb12u1 (bookworm) |
| wordpress | wordpress | >= 0 < 5.7.11+dfsg1-0+deb11u1 | 5.7.11+dfsg1-0+deb11u1 |
| wordpress | wordpress | >= 0 < 6.1.6+dfsg1-0+deb12u1 | 6.1.6+dfsg1-0+deb12u1 |
| wordpress | wordpress | >= 0 < 6.3.2+dfsg1-1 | 6.3.2+dfsg1-1 |
| wordpress | wordpress | >= 0 < 6.3.2+dfsg1-1 | 6.3.2+dfsg1-1 |
| wordpress | wordpress | >= 4.7 < 4.7.27 | 4.7.27 |
| wordpress | wordpress | >= 4.7.0 < 4.7.27 | 4.7.27 |
| wordpress | wordpress | >= 4.8 < 4.8.23 | 4.8.23 |
| wordpress | wordpress | >= 4.8.0 < 4.8.23 | 4.8.23 |
| wordpress | wordpress | >= 4.9 < 4.9.24 | 4.9.24 |
| wordpress | wordpress | >= 4.9.0 < 4.9.24 | 4.9.24 |
| wordpress | wordpress | >= 5.0 < 5.0.20 | 5.0.20 |
| wordpress | wordpress | >= 5.0.0 < 5.0.20 | 5.0.20 |
| wordpress | wordpress | >= 5.1 < 5.1.17 | 5.1.17 |
| wordpress | wordpress | >= 5.2 < 5.2.19 | 5.2.19 |
| wordpress | wordpress | >= 5.2.0 < 5.2.19 | 5.2.19 |
| wordpress | wordpress | >= 5.3 < 5.3.16 | 5.3.16 |
| wordpress | wordpress | >= 5.3.0 < 5.3.16 | 5.3.16 |
| wordpress | wordpress | >= 5.4 < 5.4.14 | 5.4.14 |
| wordpress | wordpress | >= 5.4.0 < 5.4.14 | 5.4.14 |
| wordpress | wordpress | >= 5.5 < 5.5.13 | 5.5.13 |
| wordpress | wordpress | >= 5.5.0 < 5.5.13 | 5.5.13 |
| wordpress | wordpress | >= 5.6 < 5.6.12 | 5.6.12 |
| wordpress | wordpress | >= 5.6.0 < 5.6.12 | 5.6.12 |
| wordpress | wordpress | >= 5.7 < 5.7.10 | 5.7.10 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor unauthenticated GET requests to the WordPress User REST API endpoints (/wp-json/wp/v2/users or /?rest_route=/wp/v2/users) containing a 'search' parameter with email-like patterns (e.g., '@'), which is indicative of an Oracle-style email enumeration attack. ↗
- →A successful probe returns HTTP 200 with Content-Type application/json and a body containing '[{"id' and 'name:' fields. Alert on repeated unauthenticated requests matching this response pattern against the users endpoint. ↗
- →The vulnerability affects WordPress versions 4.7.0 through 6.3.1. Identify unpatched instances by checking the WordPress version; fixed in 6.3.2 and backported patches. ↗
- →The search query is applied to the user_email column in the database even though email addresses are not returned in results to unauthenticated users. Repeated requests with incremental email character guesses (oracle-style) can confirm valid addresses. ↗
- ·The attack only exposes email addresses of users who have published public posts or pages; accounts with no public content are not enumerable via this method. ↗
- ·The Nuclei template uses a two-step flow: first confirming WordPress is present (via /wp-content/plugins in the body), then probing the users endpoint. Detection logic should account for both REST route variants as the template tries both in a clusterbomb attack. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
osv5.3MEDIUM
vendor_debian5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2023-5561: wordpress - WordPress does not properly restrict which user fields are searchable via the RE...
vendor_debian·2023·CVSS 5.3
CVE-2023-5561 [MEDIUM] CVE-2023-5561: wordpress - WordPress does not properly restrict which user fields are searchable via the RE...
WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack
Scope: local
bookworm: resolved (fixed in 6.1.6+dfsg1-0+deb12u1)
bullseye: resolved (fixed in 5.7.11+dfsg1-0+deb11u1)
forky: resolved (fixed in 6.3.2+dfsg1-1)
sid: resolved (fixed in 6.3.2+dfsg1-1)
trixie: resolved (fixed in 6.3.2+dfsg1-1)
OSV
CVE-2023-5561: WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addres
osv·2023-10-16·CVSS 5.3
CVE-2023-5561 [MEDIUM] CVE-2023-5561: WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addres
WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack
GHSA
GHSA-x7w6-3cp2-qjcv: The Popup Builder WordPress plugin through 4
ghsa_unreviewed·2023-10-16
CVE-2023-5561 [MEDIUM] CWE-200 GHSA-x7w6-3cp2-qjcv: The Popup Builder WordPress plugin through 4
The Popup Builder WordPress plugin through 4.1.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
No detection rules found.
Nuclei
WordPress Core - Post Author Email Disclosure
nuclei·CVSS 5.3
CVE-2023-5561 [MEDIUM] WordPress Core - Post Author Email Disclosure
WordPress Core - Post Author Email Disclosure
WordPress Core is vulnerable to Sensitive Information Exposure in versions between 4.7.0 and 6.3.1 via the User REST endpoint. While the search results do not display user email addresses unless the requesting user has the 'list_users' capability, the search is applied to the user_email column.
Template:
id: CVE-2023-5561
info:
name: WordPress Core - Post Author Email Disclosure
author: nqdung2002
severity: medium
description: |
WordPress Core is vulnerable to Sensitive Information Exposure in versions between 4.7.0 and 6.3.1 via the User REST endpoint. While the search results do not display user email addresses unless the requesting user has the 'list_users' capability, the search is applied to the user_email column.
remediation: |
Apply
https://lists.debian.org/debian-lts-announce/2023/11/msg00014.htmlhttps://wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/https://wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441https://lists.debian.org/debian-lts-announce/2023/11/msg00014.htmlhttps://wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/https://wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441
2023-10-16
Published