{"id":"CVE-2023-5561","details":"WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack","aliases":["BIT-wordpress-2023-5561","BIT-wordpress-multisite-2023-5561"],"modified":"2026-04-12T07:05:18.396924Z","published":"2023-10-16T20:15:18.073Z","references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/11/msg00014.html"},{"type":"ADVISORY","url":"https://wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441"},{"type":"EVIDENCE","url":"https://wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress","events":[{"introduced":"14247ee4302378d292863865c643abe99bbfe3c7"},{"fixed":"03505cd7f9898a337013d638fffb15fb6237ac99"},{"introduced":"06fa4161aa74619239cf27017d124081c825684a"},{"fixed":"001372026131225d4039926bb39141710c30b3a2"},{"introduced":"29ffbff370968ae48a1b7a34e35c8b8e75cf0f91"},{"fixed":"ca00907bae8974ddff310fe67726c6946336a63c"},{"introduced":"491c67be12ca8a9fe37ae38307ba7e298c976ec3"},{"fixed":"37f24ed72a9b7d93fac02415e23cc244d2bb2efc"},{"introduced":"c33464a4554cff8a082bc353d9226d8104b80d2b"},{"fixed":"73d4c1c7eabaed5e23e032f889125837bb067d08"},{"introduced":"6fe64752be3260f2a47f38e68c2cb77400e5a0c9"},{"fixed":"974063fd8e375f8c0b9f9eab8267a7dff8f792ea"},{"introduced":"50dc0ca5bb332c895f0f39fe4e6ee1e4a43e06dc"},{"fixed":"5b4810a879c6bbb32e1b1d0d7c4748243b2f6572"},{"introduced":"9ff4499281663b0c772787fd4a60538288f842e9"},{"fixed":"5362cad58167451efd92a7c669295d10b0dc3e95"},{"introduced":"537fd931bc02e6e934a2d774422b897871aa87ad"},{"fixed":"068534071426b5794ccde15219f898ba3b2c560f"},{"introduced":"965fcddcf68cf4fd122ae24b992e242dfea1d773"},{"fixed":"078aab979f288508c09e4329628d3b67b1538d11"},{"introduced":"058f9903676a7efaee534a682df0a2a8b87574d8"},{"fixed":"1748dbad369310bf3611e175e0272df7e28a3d0d"},{"introduced":"50caeb6e61ad0c49d2c7e1d6d5115047a011f590"},{"fixed":"2324b11a547e10a16618246baf6deb2ed5a35165"},{"introduced":"73157386d069425c5e6ea7c4fc0122e8a9b58a7b"},{"fixed":"bcb0013f3603bc012836e3367d81b24790dd631a"},{"introduced":"cc101b64012b16d087780657a2b828ccd7794a63"},{"fixed":"105fef7fbd741e358810d5e7fda2fbf9c31ca997"},{"introduced":"6c5d5b5dcb9712bfc400b09cb6627e42898527af"},{"fixed":"b4591fa6388e470f60c87f6bd0182e577d3621bd"},{"introduced":"17e2eff4aa3beb2802cbec12b6f08e2fbf69893d"},{"fixed":"cf8d68b5ac4eec8d39f2f956f681d87720aaa8fb"},{"introduced":"ac3899153a790a6f060dc816ff94812e0fd99875"},{"fixed":"ffb401296259cc20eed753bf0f934221df45e32e"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"4.7"},{"fixed":"4.7.27"},{"introduced":"4.8"},{"fixed":"4.8.23"},{"introduced":"4.9"},{"fixed":"4.9.24"},{"introduced":"5.0"},{"fixed":"5.0.20"},{"introduced":"5.1"},{"fixed":"5.1.17"},{"introduced":"5.2"},{"fixed":"5.2.19"},{"introduced":"5.3"},{"fixed":"5.3.16"},{"introduced":"5.4"},{"fixed":"5.4.14"},{"introduced":"5.5"},{"fixed":"5.5.13"},{"introduced":"5.6"},{"fixed":"5.6.12"},{"introduced":"5.7"},{"fixed":"5.7.10"},{"introduced":"5.8"},{"fixed":"5.8.8"},{"introduced":"5.9"},{"fixed":"5.9.8"},{"introduced":"6.0"},{"fixed":"6.0.6"},{"introduced":"6.1"},{"fixed":"6.1.4"},{"introduced":"6.2"},{"fixed":"6.2.3"},{"introduced":"6.3"},{"fixed":"6.3.2"}]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-5561.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}