What the vulnerability does
01Description
WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: the Supplier is not changing this behavior.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
What the vulnerability does
WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: the Supplier is not changing this behavior.
Explanation of Vulnerability in Simple Terms
WordPress versions 3.5 through 6.8.2 contain a flaw that allows an attacker to obtain limited sensitive information through the network without authentication. The vulnerability requires specific conditions to exploit and does not enable data modification or service disruption. Site administrators should update to a version newer than 6.8.2 when available.
What an attacker can do
Read limited sensitive information from the site without logging in.
Potential impact on your site
Sensitive data may be exposed to unauthenticated attackers, though the scope is limited and does not affect site integrity or availability.
Conditions required to exploit
Network access only; no authentication or user interaction required, but exploitation requires specific conditions.
Key dates
External resources