Description
WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack
Remediation
References
Related Vulnerabilities
WordPress 4.3.x Prototype Pollution (4.3 - 4.3.27)
WordPress Plugin Groups Multiple Cross-Site Scripting Vulnerabilities (1.8.0)
Oracle Database Server CVE-2020-2731 Vulnerability (CVE-2020-2731)
IBM RTC Cross-site Scripting (XSS) Vulnerability (CVE-2020-4733)
WordPress Plugin Ship To eCourier Cross-Site Request Forgery (1.0.1)