CVE-2025-54352

This PoC exploits a timing-based side-channel vulnerability in WordPress's XML-RPC pingback functionality to leak private/draft post titles. It uses a brute-force approach with timing analysis to infer characters of the title.

This repository contains a functional Python script that exploits the XML-RPC Pingback vulnerability in WordPress (CVE-2025-54352). The script sends crafted XML-RPC requests to a target WordPress site, leveraging the pingback.ping method to potentially trigger SSRF or other attacks.

This repository contains a functional Python script that exploits the XML-RPC Pingback vulnerability in WordPress (CVE-2025-54352). The script sends crafted XML-RPC requests to a target WordPress site, leveraging the pingback.ping method to potentially trigger SSRF or other attacks.

This repository contains a functional PoC for CVE-2025-54352, which exploits an information leak vulnerability in WordPress to retrieve the titles of private or draft posts. The PoC uses Node.js to send crafted requests to a WordPress instance and extract sensitive data.