CVE-2023-5561

Description

WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack

How to fix CVE-2023-5561

To remediate CVE-2023-5561, upgrade the affected package to a fixed version below.

• —upgrade to 4.7.27 or later
• —upgrade to 4.7.27 or later
• —upgrade to 5.7.11+dfsg1-0+deb11u1 or later

Is CVE-2023-5561 being exploited?

Likely — EPSS is 53.0%, placing CVE-2023-5561 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (3)

• >= 4.7.0, < 4.7.27, >= 4.8.0, < 4.8.23, >= 4.9.0, < 4.9.24, >= 5.0.0, < 5.0.20, >= 5.1.0, < 5.1.17, >= 5.2.0, < 5.2.19, >= 5.3.0, < 5.3.16, >= 5.4.0, < 5.4.14, >= 5.5.0, < 5.5.13, >= 5.6.0, < 5.6.12, >= 5.7.0, < 5.7.10, >= 5.8.0, < 5.8.8, >= 5.9.0, < 5.9.8, >= 6.0.0, < 6.0.6, >= 6.1.0, < 6.1.4, >= 6.2.0, < 6.2.3, >= 6.3.0, < 6.3.2
• >= 4.7.0, < 4.7.27, >= 4.8.0, < 4.8.23, >= 4.9.0, < 4.9.24, >= 5.0.0, < 5.0.20, >= 5.1.0, < 5.1.17, >= 5.2.0, < 5.2.19, >= 5.3.0, < 5.3.16, >= 5.4.0, < 5.4.14, >= 5.5.0, < 5.5.13, >= 5.6.0, < 5.6.12, >= 5.7.0, < 5.7.10, >= 5.8.0, < 5.8.8, >= 5.9.0, < 5.9.8, >= 6.0.0, < 6.0.6, >= 6.1.0, < 6.1.4, >= 6.2.0, < 6.2.3, >= 6.3.0, < 6.3.2
• from 0, < 5.7.11+dfsg1-0+deb11u1

CVSS scores

References (5)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-5561
• WEBlists.debian.org/debian-lts-announce/2023/11/msg00014.html
• WEBnvd.nist.gov/vuln/detail/CVE-2023-5561
• WEBwpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/