Description

WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack

Remediation

References

CVE-2023-5561

Related Vulnerabilities

WordPress Plugin WordPress Email Marketing-WP Email Capture Multiple Vulnerabilities (3.9.3)

Squid Improper Input Validation Vulnerability (CVE-2014-3609)

WordPress Plugin Appointment Booking Calendar Multiple Vulnerabilities (1.1.7)

ownCloud Improper Authentication Vulnerability (CVE-2020-10254)

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2009-4300)

Severity

Medium

Classification

CVE-2023-5561 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities