Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-5561 — Sensitive Information Exposure in Wordpress

CWE-200 — Sensitive Information Exposure7 documents7 sources

Severity

5.3MEDIUMNVD

EPSS

53.0%

top 2.03%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Wordpress

Timeline

PublishedOct 16

Latest updateMar 5

Description

WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5wordpress/wordpress6.3.0 — 6.3.2+15

▶NVDwordpress/wordpress4.7 — 4.7.27+16

▶Debianwordpress/wordpress< 5.7.11+dfsg1-0+deb11u1+3

🔴Vulnerability Details

CVEList

WordPress < 6.3.2 - Unauthenticated Post Author Email Disclosure↗2023-10-16

▶

OSV

CVE-2023-5561: WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addres↗2023-10-16

▶

GHSA

GHSA-x7w6-3cp2-qjcv: The Popup Builder WordPress plugin through 4↗2023-10-16

▶

💥Exploits & PoCs

Nuclei

WordPress Core - Post Author Email Disclosure

▶

📋Vendor Advisories

Debian

CVE-2023-5561: wordpress - WordPress does not properly restrict which user fields are searchable via the RE...↗2023

▶

💬Community

HackerOne

CVE-2023-5561 on Payapps.com↗2025-03-05

▶