Description
WordPress Plugin WP with Spritz 1.0 contains a remote file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting file paths into the url parameter. Attackers can send GET requests to wp.spritz.content.filter.php with malicious url values to access sensitive files like system configuration and credentials.
Published: 2026-05-17
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WP with Spritz 1.0 includes a remote file inclusion flaw that permits attackers without authentication to read arbitrary files. The vulnerability arises from unsanitized url parameters in the wp.spritz.content.filter.php page. On exploitation, an adversary can retrieve sensitive files such as system configuration and credentials, compromising confidentiality and potentially enabling further attacks.

Affected Systems

The flaw affects the WordPress plugin WP with Spritz, version 1.0, which is installed on WordPress sites. Any site running this plugin is susceptible; no other vendor or product versions are noted as affected.

Risk and Exploitability

The CVSS base score is 8.7, indicating high severity. EPSS is not available, so the current exploitation probability is uncertain, but the vulnerability is not listed in CISA’s KEV catalog. Attackers can trigger the flaw simply by sending crafted GET requests to the plugin’s endpoint, so unauthenticated remote exploitation is feasible.

Generated by OpenCVE AI on May 17, 2026 at 13:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch or upgrade WP with Spritz plugin to a version that resolves the RFI flaw if available.
  • If no upgrade is possible, deactivate and uninstall the plugin to eliminate the attack vector.
  • Configure the PHP environment to set allow_url_include to Off, preventing remote file inclusion.
  • Deploy a web application firewall or rule set that blocks requests containing path traversal sequences or attempting to include external resources via the url parameter.

Generated by OpenCVE AI on May 17, 2026 at 13:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp-with-spritz
Wp-with-spritz wp With Spritz
Vendors & Products Wordpress
Wordpress wordpress
Wp-with-spritz
Wp-with-spritz wp With Spritz

Sun, 17 May 2026 12:30:00 +0000

Type Values Removed Values Added
Description WordPress Plugin WP with Spritz 1.0 contains a remote file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting file paths into the url parameter. Attackers can send GET requests to wp.spritz.content.filter.php with malicious url values to access sensitive files like system configuration and credentials.
Title WordPress Plugin WP with Spritz 1.0 Remote File Inclusion
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wordpress Wordpress
Wp-with-spritz Wp With Spritz
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-17T12:11:34.667Z

Reserved: 2026-05-17T11:43:06.646Z

Link: CVE-2018-25329

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T13:16:44.443

Modified: 2026-05-17T13:16:44.443

Link: CVE-2018-25329

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T17:00:02Z

Weaknesses