What is CVE-2023-5561?

CVE-2023-5561 is a vulnerability in Wordpress, classified under CWE-200 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR. Published 2023-10-16.

Is CVE-2023-5561 known to be exploited?

11 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Wordpress

CVE-2023-5561

WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style a…

EPSS: 0.530 (98.0th percentile) — read the EPSS interpretation.

Affected products

Wordpress — versions 6.3.0, 6.2.0, 6.1.0

Public proof-of-concept exploits

References

wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441 (exploit, vdb-entry, technical-description)
wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/ (technical-description)
lists.debian.org/debian-lts-announce/2023/11/msg00014.html

Frequently asked questions

What is CVE-2023-5561?: CVE-2023-5561 is a vulnerability in Wordpress, classified under CWE-200 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR. Published 2023-10-16.
Is CVE-2023-5561 known to be exploited?: 11 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.