CVE-2025-54352 LOW

CVE-2025-54352

Vendor Wordpress
Product WordPress
Weakness CWE-669
Published July 21, 2025
Last update July 21, 2025

CVSS base score

3.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: the Supplier is not changing this behavior.

Explanation of Vulnerability in Simple Terms

02Summary

WordPress versions 3.5 through 6.8.2 contain a flaw that allows an attacker to obtain limited sensitive information through the network without authentication. The vulnerability requires specific conditions to exploit and does not enable data modification or service disruption. Site administrators should update to a version newer than 6.8.2 when available.

What an attacker can do

03Attacker Capabilities

Read limited sensitive information from the site without logging in.

Potential impact on your site

04Site Impact

Sensitive data may be exposed to unauthenticated attackers, though the scope is limited and does not affect site integrity or availability.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required, but exploitation requires specific conditions.

Key dates

06Disclosure timeline

July 21, 2025 CVE published
July 21, 2025 Record updated