CVE-2023-5561 PoC — WordPress < 6.3.2 - Unauthenticated Post Author Email Disclosure

Source

https://github.com/dthkhang/CVE-2023-5561-PoC

Associated Vulnerability

Title:WordPress < 6.3.2 - Unauthenticated Post Author Email Disclosure (CVE-2023-5561)
Description:WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack

Description

CVE-2023-5561-PoC

Readme

# PoC CVE-2023-5561 - WordPress User Email Disclosure

## Description
This script exploits the CVE-2023-5561 vulnerability in WordPress to enumerate and disclose user email addresses via the `/wp-json/wp/v2/users` API endpoint.

## Requirements
- Python 3.x
- `requests` library

Install the required library:
```bash
pip install requests
```

## Usage
1. Identify the root URL of the target WordPress site (e.g., `https://target.com`).
2. Run the script with the following syntax:

```bash
python CVE-2023-5561.py <target site root url>
```

Example:
```bash
python CVE-2023-5561.py https://target.com
```

## Result
The script will list found users and attempt to brute-force and reveal the full email address for each user if possible.

## Legal Notice
- This script is for authorized security testing and educational purposes only.
- Do not use it for malicious purposes or against systems you do not have permission to test.

File Snapshot


 [4.0K]  /data/pocs/1ec48c4ccb103daa5f65a4a5441313848bee0c72
├── [2.9K]  CVE-2023-5561.py
└── [ 930]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!