CVE-2023-5561

MEDIUM NUCLEI

WordPress - Info Disclosure

Title source: llm

Description

WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack

Exploits (3)

nomisec WORKING POC 4 stars

by pog007 · poc

https://github.com/pog007/CVE-2023-5561-PoC

View Code ZIP pw:eip

nomisec WORKING POC 2 stars

by rootxsushant · poc

https://github.com/rootxsushant/CVE-2023-5561-POC-Updated

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by dthkhang · poc

https://github.com/dthkhang/CVE-2023-5561-PoC

View Code ZIP pw:eip

Nuclei Templates (1)

WordPress Core - Post Author Email Disclosure

MEDIUMVERIFIEDby nqdung2002

Shodan: cpe:"cpe:2.3:a:wordpress:wordpress" || http.component:"wordpress"

FOFA: body="oembed" && body="wp-"

References (3)

[Third Party Advisory] https://wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441

[Mailing List] https://lists.debian.org/debian-lts-announce/2023/11/msg00014.html

[Exploit, Third Party Advisory] https://wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/

Scores

CVSS v3 5.3

EPSS 0.5302

EPSS Percentile 98.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

Status published

Products (1)

wordpress/wordpress 4.7 - 4.7.27

Published Oct 16, 2023

Tracked Since Feb 18, 2026