SPIP versions prior to 4.4.9 allow attackers to inject malicious JavaScript scripts through form, button, and anchor tags in the private area, because the echappe_anti_xss() sanitization function was omitted for these elements. This cross‑site scripting flaw can lead to arbitrary client‑side code execution, enabling credential theft, session hijacking, or defacement. The vulnerability corresponds to CWE‑79 and remains unmitigated by the SPIP security screen.

All installations of the SPIP content management system running an earlier release than 4.4.9, specifically SPIP:SPIP prior to 4.4.9, are affected. No further sub‑product distinctions are specified; any website that uses a pre‑4.4.9 SPIP build exposes the private area to XSS.

The Common Vulnerability Scoring System assigns a score of 4.8, indicating low to moderate severity. The Exploit Prediction Scoring System rate is below 1 %, suggesting a very low likelihood of exploitation in the wild. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. The likely attack vector is an authenticated user who can submit content in the private area; the attacker crafts malicious input that bypasses the missing escape routine. Because the flaw exists only in private area pages, the scope of impact is restricted to visitors of those pages, but if an end‑user shares compromised content, widespread exposure could occur. Without an available public exploit, the threat remains theoretical, yet the inability of the SPIP security screen to mitigate the flaw calls for cautious remediation.