WP with Spritz Plugin Vulnerability (CVE-2018-25329)

Security Alert Summary

The WP with Spritz plugin contains a remote file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting file paths into a URL parameter. Attackers can send specially crafted GET requests to a plugin PHP endpoint to access sensitive files such as system configuration and credentials.

CVE Details

• CVE ID: CVE-2018-25329
• Affected component: WordPress Plugin WP with Spritz
• Affected versions: 1.0 (as stated in the advisory)
• Published: May 17, 2026 at 1:16:44 PM UTC
• Last modified: May 17, 2026 at 1:16:44 PM UTC
• CVSS v3.1: Base score 7.5, Severity: HIGH, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
• Authentication / Privileges / User interaction: Authentication not required; Privileges required: None; User interaction: None
• Primary impact: Confidentiality: High; Integrity: None; Availability: None
• Weakness: CWE-98 (Improper Control of Filename for Include/Require Statement)

Technical Details

The plugin implements a PHP endpoint named wp.spritz.content.filter.php that accepts a url parameter. A remote file inclusion vulnerability exists that allows an attacker to inject file paths into that url parameter and cause the server to read and return arbitrary files. The vulnerability exists because the input provided to the endpoint is not restricted or validated to prevent inclusion of local or remote file paths.

Attackers can exploit this by sending crafted GET requests to the endpoint with malicious url values. Successful exploitation can expose sensitive files such as system configuration files and credential stores. The advisory explicitly notes exposure of system configuration and credentials; it does not document code-level mitigations or patches in the provided data.

How This Could Impact Your Website

In a typical site environment, multiple actors interact with a WordPress installation: the site owner, internal staff or editors, and external contractors or contributors. Because this vulnerability can be triggered without authentication, an external attacker could probe the plugin endpoint and retrieve files that contain configuration details or credentials. Exposed configuration files may include database connection strings or API keys, increasing the risk that an attacker can gather information useful for targeted attacks.

Practical consequences include exposure of internal user email addresses or other sensitive configuration data and an increased risk of targeted phishing or social engineering against staff or contractors based on harvested information. If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles, especially contributor-level accounts and other low-privilege accounts that are still exposed.
• Enforce strong passwords and enable two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins from your site.
• Monitor site activity and server logs for unusual GET requests to plugin endpoints such as wp.spritz.content.filter.php and unexpected file access patterns.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://downloads.wordpress.org/plugin/wp-with-spritz.zip
• https://www.exploit-db.com/exploits/44544
• https://www.vulncheck.com/advisories/wordpress-plugin-wp-with-spritz-remote-file-inclusion