CVE-2025-54352

Summary

WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: the Supplier is not changing this behavior.

Affected Software

VendorProductVersion RangeStatus
WordPressWordPress3.5 <= 6.8.2affected

Weaknesses

  • CWE-669: CWE-669 Incorrect Resource Transfer Between Spheres

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References