{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/rfi/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2018-25329"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WP with Spritz plugin 1.0"],"_cs_severities":["high"],"_cs_tags":["rfi","wordpress","cve-2018-25329","remote-file-inclusion"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe WordPress WP with Spritz plugin, version 1.0, suffers from a remote file inclusion (RFI) vulnerability (CVE-2018-25329). This flaw enables unauthenticated attackers to read arbitrary files on the server. By crafting malicious GET requests to the \u003ccode\u003ewp.spritz.content.filter.php\u003c/code\u003e script and injecting file paths into the \u003ccode\u003eurl\u003c/code\u003e parameter, attackers can bypass authentication mechanisms and access sensitive system files. This could include configuration files, credentials, and other data that could be leveraged for further malicious activities, such as privilege escalation or data exfiltration. The vulnerability allows attackers to directly read files from the compromised server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a WordPress site using the vulnerable WP with Spritz plugin 1.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious GET request targeting the \u003ccode\u003ewp.spritz.content.filter.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a file path into the \u003ccode\u003eurl\u003c/code\u003e parameter of the GET request. This path points to a file the attacker wishes to read on the server.\u003c/li\u003e\n\u003cli\u003eThe web server processes the request, and the vulnerable code in \u003ccode\u003ewp.spritz.content.filter.php\u003c/code\u003e includes the specified file without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe contents of the targeted file are exposed as part of the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the HTTP response and extracts the file contents.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the exfiltrated data, searching for sensitive information such as database credentials, API keys, or configuration details.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained information to further compromise the system or access other resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to read arbitrary files on the WordPress server. This may lead to the exposure of sensitive information, such as database credentials, configuration files, or even source code. The impact of this vulnerability can range from information disclosure to complete system compromise, depending on the sensitivity of the exposed files. The CVE has a CVSS v3.1 score of 7.5 (HIGH).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the provided Sigma rule \u003ccode\u003eDetect CVE-2018-25329 Exploitation via wp.spritz.content.filter.php\u003c/code\u003e to identify exploitation attempts by monitoring web server logs.\u003c/li\u003e\n\u003cli\u003eIf the WP with Spritz plugin is installed, remove it from the WordPress installation until a patched version is available from the vendor.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual GET requests targeting the \u003ccode\u003ewp.spritz.content.filter.php\u003c/code\u003e endpoint with suspicious \u003ccode\u003eurl\u003c/code\u003e parameter values.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-17T13:19:28Z","date_published":"2026-05-17T13:19:28Z","id":"https://feed.craftedsignal.io/briefs/2026-05-wp-with-spritz-rfi/","summary":"The WordPress WP with Spritz plugin version 1.0 is vulnerable to remote file inclusion (RFI), allowing unauthenticated attackers to read arbitrary files by injecting file paths into the `url` parameter of the `wp.spritz.content.filter.php` endpoint, potentially exposing sensitive system configuration and credentials.","title":"WordPress WP with Spritz Plugin 1.0 Remote File Inclusion","url":"https://feed.craftedsignal.io/briefs/2026-05-wp-with-spritz-rfi/"}],"language":"en","title":"CraftedSignal Threat Feed — Rfi","version":"https://jsonfeed.org/version/1.1"}