PT-2026-21859 · WordPress · Spip Tickets Plugin

Valentin Lobstein

Published

2026-02-25

Updated

2026-03-02

CVE-2026-27744

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions SPIP tickets plugin versions prior to 4.3.3

Description The SPIP tickets plugin is affected by a remote code execution issue. An unauthenticated attacker can execute code on the web server through crafted content injection. The plugin appends untrusted request parameters into HTML that is rendered by a template using unfiltered environment rendering (#ENV), disabling SPIP output filtering. This allows the attacker to inject content that is evaluated by SPIP’s template processing chain.

Recommendations Update the SPIP tickets plugin to version 4.3.3 or later.

Exploit

Fix

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2026-27744

Affected Products

Spip Tickets Plugin

PT-2026-21859 · WordPress · Spip Tickets Plugin

CVE-2026-27744

Weakness Enumeration

Related Identifiers

Affected Products

References · 13