Hello, On Thu, Nov 09, 2023 at 09:09:47AM +0100, Christian Fischer wrote: > Hello, > > i would like to request an update of the status for the following CVE: > > https://security-tracker.debian.org/tracker/CVE-2023-5561 > > Currently it has: > > > NOT-FOR-US: WordPress plugin > > which was correct based on the initial CVE description. > > But unfortunately the assigning CNA had used a wrong CVE description as this > is not an issue in a WordPress plugin but rather directly in "WordPress > core". > > The CVE description got updated in the meantime to correctly reflect that > WordPress is affected: > > > WordPress does not properly restrict which user fields are searchable > > via the REST API, allowing unauthenticated attackers to discern the > > email addresses of users who have published public posts on an > > affected website via an Oracle style attack > > so the "NOT-FOR-US" status might need an update / new evaluation. > > References: > - https://nvd.nist.gov/vuln/detail/CVE-2023-5561#VulnChangeHistorySection > - > https://wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/ > - https://wpscan.com/vulnerability/19380917-4c27-4095-abf1-eba6f913b441
Thank you, I have updated the security-tracker updating CVE-2023-5561 . Regards, Salvatore
