CVE-2024-7954

Name of the Vulnerable Software and Affected Versions SPIP versions prior to 4.30-alpha2, 4.2.13, and 4.1.16

Description The porte plume plugin used by SPIP is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.

Recommendations For SPIP versions prior to 4.30-alpha2, 4.2.13, and 4.1.16, upgrade to a version that is 4.30-alpha2, 4.2.13, or 4.1.16 or later to mitigate the risk of remote exploitation. As a temporary workaround, consider disabling the porte plume plugin until a patch is available. Restrict access to the SPIP system to minimize the risk of exploitation.