Local File Inclusion Vulnerability in Spirit Framework Plugin for WordPress
CVE-2025-10269

7.5HIGH

Key Information:

Vendor: WordPress
Status: Spirit Framework
Vendor: CVE Published:; 12 September 2025

What is CVE-2025-10269?

The Spirit Framework plugin for WordPress is susceptible to a serious Local File Inclusion vulnerability in all versions up to 1.2.13. Authenticated users with Subscriber-level access or higher are able to exploit this vulnerability, allowing them to include and execute arbitrary .php files stored on the server. This exploitation can lead to access control bypass, enabling attackers to retrieve sensitive information or execute malicious PHP code through files that they can upload. It is crucial for users and website administrators to take preventive measures to secure their installations against potential threats associated with this vulnerability.

Affected Version(s)

Spirit Framework * <= 1.2.13

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://patchstack.com/database/wordpress/plugin/spirit-f...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 12, 2025
Vulnerability Reserved
Sep 11, 2025

Credit

Bonds