WordPress XML-RPC Pingback Title Guessing Vulnerability

A vulnerability exists in WordPress versions 3.5 through 6.8.2, allowing remote attackers to infer the titles of private and draft posts by sending pingback.ping requests via XML-RPC. This issue arises because the pingback feature, enabled by default in new WordPress installations since 3.5, does not restrict title searches to public posts only. As a result, an attacker can exploit this by crafting requests that probe for specific substrings, effectively leaking sensitive information about unpublished content.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the titles of private and draft posts, potentially causing reputational damage and financial loss, especially for businesses.

Reproduction

The vulnerability can be reproduced by sending pingback requests to a WordPress site's XML-RPC endpoint. The requests should include patterns that the attacker wants to search for in post titles. The server's response will indicate whether the titles matching the patterns exist, allowing the attacker to gradually exfiltrate private and draft post titles.

Remediation

WordPress users are advised to update to the latest version and disable the XML-RPC pingback feature if it is not needed. Imperva customers are already protected against this vulnerability.