CVE-2023-5561

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-5561

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-5561.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-5561

Aliases

Downstream

DEBIAN-CVE-2023-5561

DLA-3658-1

DSA-5685-1

UBUNTU-CVE-2023-5561

Published

2023-10-16T20:15:18Z

Modified

2025-10-14T15:32:55Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack

References

Affected packages

Git / github.com/wordpress/wordpress

Affected ranges

Type: GIT
Repo: https://github.com/wordpress/wordpress
Events: Introduced

14247ee4302378d292863865c643abe99bbfe3c7

Fixed

03505cd7f9898a337013d638fffb15fb6237ac99

Type: GIT
Repo: https://github.com/wordpress/wordpress-develop
Events: Introduced

efa83f48bd4ebd066e5efc94b9feefe50e7925a2

Fixed

44f6b667c73c73f311ccf30559bc31323f929882