CVE-2023-5561

medium

Description

WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack

References

https://wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441

https://wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/

https://lists.debian.org/debian-lts-announce/2023/11/msg00014.html

Details

Source: Mitre, NVD

Published: 2023-10-16

Updated: 2023-11-20

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N