CVE-2018-25329 HIGH

CVE-2018-25329: WordPress Plugin WP with Spritz 1.0 Remote File Inclusion

Vendor Wp-With-Spritz
Product WP with Spritz
Weakness CWE-98 · PHP file inclusion
Published May 17, 2026
Last update May 18, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

WordPress Plugin WP with Spritz 1.0 contains a remote file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting file paths into the url parameter. Attackers can send GET requests to wp.spritz.content.filter.php with malicious url values to access sensitive files like system configuration and credentials.

Explanation of Vulnerability in Simple Terms

02Summary

WP with Spritz contains a remote code execution vulnerability accessible over the network without authentication. An attacker can execute arbitrary code on the affected site. The vulnerability affects versions 1.0 and requires no user interaction or special privileges to exploit.

What an attacker can do

03Attacker Capabilities

Run their own code on the site without authentication.

Potential impact on your site

04Site Impact

Complete compromise of the site; attacker can modify content, steal data, or take full control.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

May 17, 2026 CVE published
May 18, 2026 Record updated

Related vulnerabilities

08Related CVE