Home

Description

WordPress Plugin WP with Spritz 1.0 contains a remote file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting file paths into the url parameter. Attackers can send GET requests to wp.spritz.content.filter.php with malicious url values to access sensitive files like system configuration and credentials.

PUBLISHED Reserved 2026-05-17 | Published 2026-05-17 | Updated 2026-05-18 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Product status

1.0
affected

Credits

Wadeek finder

References

www.exploit-db.com/exploits/44544 (ExploitDB-44544) exploit

downloads.wordpress.org/plugin/wp-with-spritz.zip (Product Reference) product

www.vulncheck.com/...in-wp-with-spritz-remote-file-inclusion (VulnCheck Advisory: WordPress Plugin WP with Spritz 1.0 Remote File Inclusion) third-party-advisory

cve.org (CVE-2018-25329)

nvd.nist.gov (CVE-2018-25329)

Download JSON