{"id":86969,"date":"2026-04-22T22:00:23","date_gmt":"2026-04-22T22:00:23","guid":{"rendered":""},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-30T06:00:00","slug":"cve-2025-10269-spirit-framework-plugin-for-wordpress-local-file-inclusion-vulnerability","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2025-10269-spirit-framework-plugin-for-wordpress-local-file-inclusion-vulnerability\/","title":{"rendered":"<strong>CVE-2025-10269: Spirit Framework Plugin for WordPress Local File Inclusion Vulnerability<\/strong>"},"content":{"rendered":"<p><strong>Overview<\/strong><\/p>\n<p>The Spirit Framework plugin for WordPress, a popular tool used by many websites, has been discovered to be vulnerable to Local File Inclusion (LFI). As a significant number of websites use WordPress and its plugins, this vulnerability can potentially affect a wide range of users and systems. The presence of this vulnerability can lead to severe consequences such as system compromise and data leakage if exploited.<\/p>\n<p><strong>Vulnerability Summary<\/strong><\/p>\n<p>CVE ID: CVE-2025-10269<br \/>\nSeverity: High (CVSS: 7.5)<br \/>\nAttack Vector: Local File Inclusion<br \/>\nPrivileges Required: Subscriber-level access and above<br \/>\nUser Interaction: Required<br \/>\nImpact: Possible system compromise or data leakage<\/p>\n<p><strong>Affected Products<\/strong><\/p><div id=\"ameeb-3109058249\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 700px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 20px; font-weight: 600; display: flex; align-items: center;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 8px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 40px; height: 40px;\" \/>\r\n    <\/a>\r\n    A new way to communicate\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 12px;\">\r\n    Ameeba Chat is built on encrypted identity, not personal profiles.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 16px;\">\r\n    Message, call, share files, and coordinate with identities kept separate.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 20px;\">\r\n    <li>\u2022 Encrypted identity<\/li>\r\n    <li>\u2022 Ameeba Chat authenticates access<\/li>\r\n    <li>\u2022 Aliases and categories<\/li>\r\n    <li>\u2022 End-to-end encrypted chat, calls, and files<\/li>\r\n    <li>\u2022 Secure notes for sensitive information<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px;\">\r\n    Private communication, rethought.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Download Ameeba Chat<\/a>\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Learn More<\/a>\r\n  <\/div>\r\n<\/div>\r\n<\/div>\n<p>Product | Affected Versions<\/p>\n<p>Spirit Framework plugin for WordPress | All versions up to and including 1.2.13<\/p>\n<p><strong>How the Exploit Works<\/strong><\/p>\n<p>An attacker with Subscriber-level access or above can exploit this vulnerability by including and executing arbitrary .php files on the server. This can lead to the execution of any PHP code in those files, effectively allowing the attacker to bypass access controls, obtain sensitive data, or execute code if .php file types can be uploaded and included.<\/p>\n<p><strong>Conceptual Example Code<\/strong><\/p><div id=\"ameeb-71280387\" class=\"ameeb-content ameeb-entity-placement\"><div class=\"poptin-embedded\" data-id=\"f6b387694f681\"><\/div>\r\n\r\n\r\n\r\n\r\n\r\n<\/div>\n<p>Here is a conceptual example of exploiting this vulnerability. Note that this is a simplified illustration and actual attacks can be more complex:<\/p>\n<pre><code class=\"\" data-line=\"\">POST \/wp-content\/plugins\/spirit-framework\/includes\/load.php HTTP\/1.1\nHost: target.example.com\nContent-Type: application\/php\n{ &quot;include_file&quot;: &quot;\/path\/to\/malicious\/file.php&quot; }<\/code><\/pre>\n<p>In this example, an attacker sends a POST request to the vulnerable endpoint and includes the path to a malicious .php file that they&#8217;ve uploaded to the server. This results in the malicious file being executed on the server, leading to potential compromise.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview The Spirit Framework plugin for WordPress, a popular tool used by many websites, has been discovered to be vulnerable to Local File Inclusion (LFI). As a significant number of websites use WordPress and its plugins, this vulnerability can potentially affect a wide range of users and systems. The presence of this vulnerability can lead [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[],"tags":[],"vendor":[],"product":[],"attack_vector":[],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-86969","post","type-post","status-publish","format-standard","hentry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/86969","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=86969"}],"version-history":[{"count":0,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/86969\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=86969"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=86969"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=86969"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=86969"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=86969"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=86969"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=86969"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=86969"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=86969"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}