CVE-2023-5561: 
NixOS vulnerability analysis and mitigation

CVE-2023-5561 is a security vulnerability discovered in WordPress that affects versions from 4.7 through 6.3.1. The vulnerability was discovered by Marc Montpas and publicly disclosed on October 12, 2023. It affects the WordPress core system's REST API functionality, where the platform does not properly restrict which user fields are searchable (WPScan Blog).

The vulnerability exists in WordPress's REST API endpoint /wp-json/wp/v2/users, which improperly handles the search parameter in user queries. The issue has a CVSS v3.1 Base Score of 5.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-200 (Sensitive Data Exposure) and falls under the OWASP Top 10 category A3: Sensitive Data Exposure (WPScan Vulnerability).

The vulnerability allows unauthenticated attackers to discern the email addresses of users who have published public posts on affected WordPress websites. Through an Oracle-style attack, attackers can gather email addresses of users, compromising user privacy and potentially exposing them to unauthorized access (WPScan Blog).

The vulnerability has been fixed in WordPress version 6.3.2, along with backported fixes for older versions including 6.2.3, 6.1.4, 6.0.6, 5.9.8, 5.8.8, 5.7.10, 5.6.12, 5.5.13, 5.4.14, 5.3.16, 5.2.19, 5.1.17, 5.0.20, 4.9.24, 4.8.23, and 4.7.27. Administrators are strongly advised to update their WordPress installations to the latest version to protect against this vulnerability (Debian Security).