Re: Update request for CVE-2023-5561 (WordPress)
Hello,
On Thu, Nov 09, 2023 at 09:09:47AM +0100, Christian Fischer wrote:
> Hello,
>
> i would like to request an update of the status for the following CVE:
>
> https://security-tracker.debian.org/tracker/CVE-2023-5561
>
> Currently it has:
>
> > NOT-FOR-US: WordPress plugin
>
> which was correct based on the initial CVE description.
>
> But unfortunately the assigning CNA had used a wrong CVE description as this
> is not an issue in a WordPress plugin but rather directly in "WordPress
> core".
>
> The CVE description got updated in the meantime to correctly reflect that
> WordPress is affected:
>
> > WordPress does not properly restrict which user fields are searchable
> > via the REST API, allowing unauthenticated attackers to discern the
> > email addresses of users who have published public posts on an
> > affected website via an Oracle style attack
>
> so the "NOT-FOR-US" status might need an update / new evaluation.
>
> References:
> - https://nvd.nist.gov/vuln/detail/CVE-2023-5561#VulnChangeHistorySection
> - https://wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/
> - https://wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441
Thank you, I have updated the security-tracker updating CVE-2023-5561
.
Regards,
Salvatore
Reply to: