Description

WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack

Remediation

References

CVE-2023-5561

Related Vulnerabilities

Jenkins Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-3723)

WebLogic CVE-2018-3201 Vulnerability (CVE-2018-3201)

MySQL CVE-2020-2686 Vulnerability (CVE-2020-2686)

WordPress Plugin Login Security Solution Multiple Unspecified Vulnerabilities (0.50.0)

WordPress Plugin WP Email Users SQL Injection (1.4.3)

Severity

Medium

Classification

CVE-2023-5561 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities