SPIP Security Advisory
Affected Product: SPIP CMS Plugins
Impacted Components: Tickets Plugin & referer_spam Plugin
Risk Classification: Critical – Unauthenticated Remote Exploitation
Two critical vulnerabilities were identified in widely deployed SPIP plugins. Both issues can be exploited remotely without authentication, meaning any exposed installation running vulnerable versions is at immediate risk. The weaknesses allow either full server takeover (RCE) or direct database compromise (SQL Injection).
CVE-2026-27744
SPIP Tickets Plugin – Unauthenticated Remote Code Execution
Overview
A template rendering flaw was identified in the SPIP Tickets plugin. Improper sanitization of user-controlled input during dynamic template processing enables arbitrary code execution on the underlying web server.
Because authentication is not required, exploitation can be performed remotely through crafted HTTP requests targeting publicly accessible endpoints associated with the plugin.
Vulnerability Details
The issue stems from unsafe handling of template directives embedded within user-supplied input. During rendering, the input is interpreted by the template engine without proper filtering, allowing malicious directives to be executed in the server context.
The flaw may allow:
- Execution of system commands
- File inclusion
- Arbitrary PHP execution
- Web shell deployment
- Persistence establishment
If the web server runs with elevated privileges, full system compromise may occur.
CVSS v3.1 Score
- Base Score: 9.8
- Severity: Critical
- Attack Vector: Network
- Privileges Required: None
- User Interaction: None
Attack Scenario
An attacker may:
- Identify a public endpoint that processes ticket templates.
- Inject crafted template expressions through GET or POST parameters.
- Trigger template rendering.
- Execute arbitrary commands via template evaluation.
Payloads typically leverage evaluation mechanisms within SPIP templates.
Educational Payload Indicators
The following patterns are commonly associated with exploitation attempts (for defensive awareness only):
#EVAL{phpinfo()}
#EVAL{system('id')}
{{exec:system('whoami')}}
{{#INCLURE{fond=../../../../../../etc/passwd}}}
Encoded payloads may also be used:
#EVAL{base64_decode('cGhwaW5mbygpOw==')}
Successful exploitation often results in web shell uploads such as:
shell.php
cmd.php
wp-config.bak.php
Exploitation Status
Exploitation requires minimal skill once the vulnerable endpoint is identified. Public exploit scripts are expected to circulate in offensive security communities. Automated scanning and exploitation tools can likely incorporate this vulnerability.
This information is provided strictly for defensive and educational purposes.
Impact
- Remote command execution
- Complete server takeover
- Database credential exposure
- Lateral movement inside network
- Malware staging
- Website defacement
MITRE ATT&CK Mapping
- T1190 – Exploit Public-Facing Application
- T1059 – Command and Scripting Interpreter
- T1105 – Ingress Tool Transfer
- T1505.003 – Web Shell
Detection
Log Sources
- Apache / Nginx access logs
- PHP error logs
- SPIP application logs
- Endpoint Detection & Response (EDR) telemetry
- Web Application Firewall logs
- File integrity monitoring logs
Indicators of Compromise
- Requests containing
#EVAL,exec,system,passthru - Unexpected outbound connections from web server
- New PHP files created in writable directories
- Base64 encoded strings inside HTTP parameters
- Abnormal 500 errors followed by successful responses
Detection Queries
Apache / Nginx Log Analysis
grep -Ei "(#EVAL|system\(|exec\(|passthru\(|shell_exec\()" access.log
Splunk Query
index=web_logs
(" #EVAL" OR "system(" OR "exec(" OR "passthru(" OR "shell_exec(")
Elastic / KQL
http.request.body : ("#EVAL" or "system(" or "exec(" or "passthru(")
File Creation Monitoring
event.code=11 AND file.extension="php" AND file.path:("/tmp/" OR "/uploads/")
Mitigation
- Upgrade the Tickets plugin immediately.
- Restrict write permissions on web directories.
- Disable dangerous PHP functions where feasible (
exec,system,shell_exec). - Deploy WAF rules blocking template directive patterns.
- Implement file integrity monitoring.
Official Patch
The vulnerability is addressed in the updated version available through the official SPIP plugin repository:
Official Update Link:
https://plugins.spip.net/tickets.html
Administrators should upgrade to the latest secure version released by the maintainers.
CVE-2026-27743
SPIP referer_spam Plugin – Unauthenticated SQL Injection
Overview
A critical SQL injection vulnerability was identified in the referer_spam plugin. Improper input validation allows arbitrary SQL statements to be executed without authentication.
User-controlled parameters are concatenated directly into SQL queries without proper escaping or prepared statements.
Vulnerability Details
Input received through HTTP parameters is embedded directly into SQL statements. No sanitization or parameter binding is performed before query execution.
Attackers can manipulate queries to:
- Extract database contents
- Dump user credentials
- Modify or delete records
- Bypass authentication logic
- Potentially escalate to remote code execution (if file write privileges exist)
CVSS v3.1 Score
- Base Score: 9.1
- Severity: Critical
- Attack Vector: Network
- Privileges Required: None
- User Interaction: None
Attack Scenario
An attacker sends crafted requests containing malicious SQL payloads.
The database interprets injected commands as part of the original query.
If database logging is disabled, detection may be delayed.
Educational Payloads
Boolean-based injection:
' OR 1=1--
Union-based extraction:
' UNION SELECT username,password FROM spip_auteurs--
Time-based blind injection:
' AND SLEEP(5)--
Stacked query attempt:
'; DROP TABLE spip_auteurs;--
These examples are provided for defensive awareness only.
Exploitation Status
SQL injection vulnerabilities are trivial to automate. Public scanners and exploitation frameworks can detect and exploit this class of vulnerability quickly once disclosure occurs.
Internet-facing instances are particularly vulnerable to automated mass exploitation.
Impact
- Complete database dump
- Administrator credential theft
- Session hijacking
- Data manipulation or deletion
- Possible server compromise if chained
MITRE ATT&CK Mapping
- T1190 – Exploit Public-Facing Application
- T1005 – Data from Local System
- T1552 – Unsecured Credentials
Detection
Log Sources
- Web server access logs
- Database general query logs
- MySQL/MariaDB slow query logs
- WAF logs
- SIEM correlation alerts
Indicators of Compromise
- Presence of
UNION SELECT - SQL syntax errors in responses
- Time delays consistent with
SLEEP()usage - High-frequency parameter tampering attempts
- Requests containing
' OR 1=1
Detection Queries
Apache Log Review
grep -Ei "(UNION SELECT|OR 1=1|SLEEP\(|--|INFORMATION_SCHEMA)" access.log
Splunk Query
index=web_logs
("UNION SELECT" OR "OR 1=1" OR "SLEEP(" OR "INFORMATION_SCHEMA")
Elastic / KQL
http.request.body : ("UNION SELECT" or "OR 1=1" or "SLEEP(")
MySQL Log Inspection
grep -Ei "(UNION|SLEEP|INFORMATION_SCHEMA)" mysql.log
Mitigation
- Upgrade the referer_spam plugin immediately.
- Replace dynamic SQL with prepared statements.
- Restrict database user permissions.
- Enable database query logging.
- Deploy WAF rules to block SQL injection patterns.
- Conduct database integrity review.
Official Patch
The corrected version is available through the official SPIP plugin repository:
Official Update Link:
https://plugins.spip.net/referer_spam.html
Administrators should upgrade to the latest version published by the maintainers.
Overall Risk Advisory
Both vulnerabilities are remotely exploitable without authentication. If these plugins are installed on internet-facing SPIP deployments, exploitation risk is considered extremely high.
Immediate remediation is strongly recommended.
