During a thorough analysis of WordPress’ internals, WPScan discovered a subtle bug that allowed unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website.
If successfully exploited, attackers could gather email addresses, putting user privacy at risk.
Upon identifying the vulnerability, WPScan promptly alerted the WordPress team, who released version 6.3.2 to fix the issue. It is crucial for administrators to ensure their WordPress installations are fully updated to safeguard against this vulnerability.
WordPress’ official advisory can be found here.
Source and more details: https://wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/