CVE-2023-5692: WordPress Core Info Disclosure Flaw

CVE-2023-5692 Overview

WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This vulnerability allows unauthenticated attackers to expose the slug of a custom post whose publicly_queryable post status has been set to false, potentially revealing information that site administrators intended to keep private.

Critical Impact

Unauthenticated attackers can discover hidden post slugs for custom post types that were intentionally configured to be non-public, potentially exposing sensitive content identifiers or internal naming conventions.

Affected Products

• WordPress Core versions up to and including 6.4.3
• All WordPress installations using custom post types with publicly_queryable set to false
• Sites relying on post slug obscurity as a security measure

Discovery Timeline

• April 5, 2024 - CVE-2023-5692 published to NVD
• November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2023-5692

Vulnerability Analysis

This information disclosure vulnerability resides in WordPress Core's canonical URL handling mechanism, specifically within the redirect_guess_404_permalink function located in wp-includes/canonical.php. The function is designed to intelligently redirect users who visit non-existent URLs by attempting to guess the intended destination based on partial slug matches.

The vulnerability occurs because the function fails to properly verify whether a matched post type should be publicly accessible before attempting a redirect. When a user requests a URL that partially matches a custom post slug—even one marked as non-public—the function may inadvertently reveal the existence and complete slug of that hidden content through its redirect behavior.

This flaw undermines the expected privacy controls for custom post types, as administrators who set publicly_queryable to false would reasonably expect those post slugs to remain undiscoverable through normal browsing or enumeration techniques.

Root Cause

The root cause lies in insufficient access control checks within the redirect_guess_404_permalink function. Prior to the security fix, the function would query and potentially expose posts without first calling is_post_publicly_viewable() or is_post_type_viewable() to validate that the matched content should be accessible to the requesting user.

The vulnerable code path in canonical.php at line 763 would process the redirect guess logic without considering the post type's visibility settings, treating all matched posts equally regardless of their configured access restrictions.

Attack Vector

The attack can be executed remotely over the network without requiring any authentication or user interaction. An attacker can exploit this vulnerability by sending crafted HTTP requests with partial URL slugs to a WordPress installation. If the server responds with a redirect to the complete URL of a non-public post, the attacker learns the full slug of content that should be hidden.

This attack method is particularly effective for enumeration, where attackers systematically probe a WordPress site with common words or patterns to discover hidden content. The information gained could facilitate further attacks, expose confidential project names, reveal unpublished content identifiers, or provide reconnaissance data for targeted social engineering.

Detection Methods for CVE-2023-5692

Indicators of Compromise

• Unusual patterns of 404 requests followed by redirects to custom post type URLs
• High volume of requests probing URL patterns with common words or dictionary terms
• Access logs showing systematic enumeration of potential post slug patterns
• Successful redirects to URLs that should not be publicly accessible

Detection Strategies

• Monitor web server access logs for abnormal 404 redirect patterns targeting custom post type URLs
• Implement rate limiting on 404 responses to mitigate enumeration attacks
• Use WordPress security plugins that can detect and alert on potential slug enumeration attempts
• Review redirect responses in server logs for any exposure of non-public post type slugs

Monitoring Recommendations

• Enable detailed logging of HTTP redirects and their destination URLs
• Set up alerts for high-frequency 404 errors from single IP addresses
• Audit custom post type configurations to identify which content relies on slug obscurity
• Regularly review access patterns to sensitive URL paths in your WordPress installation

How to Mitigate CVE-2023-5692

Immediate Actions Required

• Update WordPress Core to version 6.4.4 or later immediately
• Review all custom post types and their publicly_queryable settings
• Audit access logs for potential exploitation attempts prior to patching
• Consider implementing additional access controls beyond relying on post slug obscurity

Patch Information

WordPress addressed this vulnerability in Changeset 57645, which adds proper visibility checks using the is_post_publicly_viewable() and is_post_type_viewable() functions before processing redirect guesses. The patch ensures that the redirect_guess_404_permalink function respects the publicly_queryable setting for custom post types.

For detailed information about the updated functions, see the WordPress developer documentation for is_post_publicly_viewable() and is_post_type_viewable().

Additional vulnerability details are available in the Wordfence Vulnerability Report.

Workarounds

• Disable the 404 redirect guessing functionality by adding a filter to short-circuit redirect_guess_404_permalink
• Implement proper authentication requirements for sensitive custom post types rather than relying on slug obscurity
• Use security plugins that provide additional access control layers for custom post types
• Consider using randomized or cryptographic slugs for sensitive content that must remain unpublished

// Disable 404 redirect guessing as a temporary workaround
add_filter('do_redirect_guess_404_permalink', '__return_false');