by vicarius
log in join community
by @secatgourity
23 Jun 2024
#existing_exploit_analysis

Analyze a CVE exploitation

publish

WordPress unauthenticated email search vulnerability (CVE-2023-5561)

by @secatgourity
by @secatgourity
23 Jun 2024
#existing_exploit_analysis

Analyze a CVE exploitation

publish

WordPress unauthenticated email search vulnerability (CVE-2023-5561)

CVEs

CVE-2023-5561
5.3 Medium Severity

Screenshots from the blog posts

images/clxozkcx8ow0p1joibjymehpz.jpgimages/clxozkcx8ow0p1joibjymehpz.jpg

Summary

In this post, we will explore the unauthenticated WordPress REST API email disclosure via an Oracle-style attack. The exploit is quite interesting and definitely worth knowing for a future pentest!

Script link

GitHub - pog007/CVE-2023-5561-PoC: WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack

WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on…

image

Description

Tags

#open-source#wordpress#unauthenticated#rest-api#sensitive-data-disclosure#oracle-style-attack

@secatgourity

190 posts

Total vcoins

123.8K

Social media links

Comments (0)