Unrated severityNVD Advisory· Published Oct 16, 2023· Updated Apr 23, 2025

WordPress < 6.3.2 - Unauthenticated Post Author Email Disclosure

CVE-2023-5561

Description

WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack

Affected products

osv-coords2 versions
pkg:bitnami/wordpress pkg:bitnami/wordpress-multisite
>= 4.7.0, < 4.7.27+ 1 more
- (no CPE)range: >= 4.7.0, < 4.7.27
- (no CPE)range: >= 4.7.0, < 4.7.27
WordPress/WordPressv5
Range: 6.3.0
Package: https://wordpress.org/plugins/wordpress

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441mitreexploitvdb-entrytechnical-description
wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/mitretechnical-description
lists.debian.org/debian-lts-announce/2023/11/msg00014.htmlmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.042
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000