WordPress Plugin WP with Spritz RFI Allows Arbitrary File Access

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityarbitrary-file-accesscwe-98
WordPress Plugin WP with Spritz RFI Allows Arbitrary File Access

The National Vulnerability Database has detailed CVE-2018-25329, a remote file inclusion (RFI) vulnerability in the WordPress Plugin WP with Spritz version 1.0. This flaw permits unauthenticated attackers to read arbitrary files by injecting malicious file paths into the url parameter. Specifically, attackers can craft GET requests to wp.spritz.content.filter.php with specially designed url values to access sensitive system files.

This vulnerability, rated High severity with a CVSS score of 7.5, presents a critical risk. An attacker exploiting this RFI could exfiltrate configuration files, credentials, and other confidential data stored on the server. The ease of exploitation, requiring no authentication and simple GET requests, makes this a prime target for opportunistic attackers scanning for exposed WordPress instances.

Defenders need to recognize that arbitrary file access is not a minor issue; it’s often a precursor to full system compromise. Once an attacker can read sensitive files, they can pivot to gain code execution, escalate privileges, or establish persistence. The attacker’s calculus here is simple: low effort, high reward, especially against unpatched systems.

What This Means For You

  • If your organization uses the WordPress Plugin WP with Spritz 1.0, you must immediately remove or disable it. This is not a vulnerability to patch; it's a component to eliminate. Audit your web server logs for any suspicious GET requests to `wp.spritz.content.filter.php` that include unusual `url` parameters, indicating attempted or successful exploitation.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1045 Software Deployment Initial Access T1204.002 Malicious File Execution

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2018-25329 - WordPress WP Spritz RFI Arbitrary File Read

Sigma YAML — free preview 
title: CVE-2018-25329 - WordPress WP Spritz RFI Arbitrary File Read
id: scw-2026-05-17-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2018-25329 by targeting the wp.spritz.content.filter.php script with a 'url=' parameter, indicative of a Remote File Inclusion (RFI) vulnerability in the WP Spritz WordPress plugin. This allows unauthenticated attackers to read arbitrary files.
author: SCW Feed Engine (AI-generated)
date: 2026-05-17
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2018-25329/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-content/plugins/wp-spritz/wp.spritz.content.filter.php'
      cs-uri-query|contains:
          - 'url='
      cs-method:
          - 'GET'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2018-25329 Remote File Inclusion WordPress Plugin WP with Spritz 1.0
CVE-2018-25329 Remote File Inclusion wp.spritz.content.filter.php
CVE-2018-25329 Remote File Inclusion GET request with 'url' parameter injection
CVE-2018-25329 Information Disclosure Arbitrary file read via 'url' parameter

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 17, 2026 at 16:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma