CVE-2025-54352: 
WordPress vulnerability analysis and mitigation

WordPress versions 3.5 through 6.8.2 contain a vulnerability that allows remote attackers to discover titles of private and draft posts through pingback.ping XML-RPC requests. The vulnerability was discovered and reported by Imperva researchers, with the initial disclosure made on July 21, 2025 (NVD, Imperva Blog).

The vulnerability exploits the XMLRPC pingback feature, which is enabled by default in WordPress installations since version 3.5. The attack involves sending specifically crafted POST requests to the XMLRPC endpoint of the target site. When a fragment is present in the target URL, WordPress uses a regular expression that matches against all post titles in the database, including private and draft posts, creating an information disclosure vulnerability. The vulnerability has been assigned a CVSS v3.1 base score of 3.7 (LOW) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability can lead to the exposure of sensitive information through the leakage of private and draft post titles. Historical examples demonstrate the potential severity of such leaks - for instance, premature exposure of earnings reports or acquisition plans can result in significant market value losses, insider trading risks, and damage to company reputation (Imperva Blog).

WordPress site administrators are recommended to either update to the latest version of WordPress or disable the XMLRPC endpoint if it's not in use. Imperva customers are automatically protected against this vulnerability through both CWAF and WAF-GW dedicated protections (Imperva Blog).