WordPress XML-RPC Pingback Title Guessing (v3.5–6.8.2)
CVE-2025-54352 Published on July 21, 2025
WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: the Supplier is not changing this behavior.
Weakness Type
Incorrect Resource Transfer Between Spheres
The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Products Associated with CVE-2025-54352
Want to know whenever a new CVE is published for WordPress? stack.watch will email you.
Affected Versions
WordPress:- Version 3.5, <= 6.8.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.